LNCS 3269 




Javier Lopez 
Sihan Qing 
EijiOkamoto (Eds.) 



Information and 
Communications 
Security 

6th International Conference, ICICS 2004 



Malaga, Spain, October 2004 
Proceedings 



4^ Springer 




Lecture Notes in Computer Science 

Commenced Publication in 1973 
Founding and Former Series Editors: 

Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen 



Editorial Board 

David Hutchison 

Lancaster University, UK 
Takeo Kanade 

Carnegie Mellon University, Pittsburgh, PA, USA 
Josef Kittler 

University of Surrey, Guildford, UK 
Jon M. Kleinberg 

Cornell University, Ithaca, NY, USA 
Friedemann Mattern 

ETH Zurich, Switzerland 
John C. Mitchell 

Stanford University, CA, USA 
Moni Naor 

Weizmann Institute of Science, Rehovot, Israel 
Oscar Nierstrasz 

University of Bern, Switzerland 
C. Pandu Rangan 

Indian Institute of Technology, Madras, India 
Bernhard Steffen 

University of Dortmund, Germany 
Madhu Sudan 

Massachusetts Institute of Technology, MA, USA 
Demetri Terzopoulos 

New York University, NY, USA 
Doug Tygar 

University of California, Berkeley, CA, USA 
Moshe Y. Vardi 

Rice University, Houston, TX, USA 
Gerhard Weikum 

Max-Planck Institute of Computer Science, Saarbruecken, Germany 



3269 




Javier Lopez Sihan Qing 
Eiji Okamoto (Eds.) 



Information and 

Communications 

Security 



6th International Conference, ICICS 2004 
Malaga, Spain, October 27-29, 2004 
Proceedings 



4cl Springer 




Volume Editors 



Javier Lopez 
University of Malaga 
Computer Science Department 

E.T.S. Ingenieria Informatica, Campus de Teatinos, 29071 Malaga, Spain 
E-mail: jlm@lcc.uma.es 

Sihan Qing 

Chinese Academy of Sciences 
Institute of Software 

4 4th Street South, ZhongGuanCun, Beijing 100080, China 
E-mail: qsihan@ercist.iscas.ac.cn 

Eiji Okamoto 
University of Tsukuba 

Graduate School of Systems and Information Engineering 
1-1-1 Ten-nohdai, Tsukuba 305-8573, Japan 
E-mail : okamoto @ risk. tsukuba. ac .jp 



Library of Congress Control Number: 2004113914 



CR Subject Classification (1998): E.3, G.2.1, D.4.6, K.6.5, F.2.1, C.2, J.l 
ISSN 0302-9743 

ISBN 3-540-23563-9 Springer Berlin Heidelberg New York 



This work is subject to copyright. All rights are reserved, whether the whole or part of the material is 
concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, 
reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication 
or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, 
in its current version, and permission for use must always be obtained from Springer. Violations are liable 
to prosecution under the German Copyright Law. 

Springer is a part of Springer Science+Business Media 

springeronline.com 

© Springer-Verlag Berlin Heidelberg 2004 
Printed in Germany 

Typesetting: Camera-ready by author, data conversion by Olgun Computergrafik 
Printed on acid-free paper SPIN: 11326922 06/3142 5 4 3 2 1 0 




Preface 



This volume contains the proceedings of the 6th International Conference on Informa- 
tion and Communications Security (ICICS 2004), Torremolinos (Malaga), Spain, 27-29 
October 2004. The five previous conferences were held in Beijing, Sydney, Xian, Sin- 
gapore and Huhehaote City, where we had an enthusiastic and well-attended event. The 
proceedings were released as volumes 1334, 1726, 2229, 2513 and 2836 of the LNCS 
series of Springer, respectively. 

During these last years the conference has placed equal emphasis on the theoretical 
and practical aspects of information and communications security and has established 
itself as a forum at which academic and industrial people meet and discuss emerging 
security challenges and solutions. We hope to uphold this tradition by offering you yet 
another successful meeting with a rich and interesting program. 

The response to the Call for Papers was overwhelming, 245 paper submissions were 
received. Therefore, the paper selection process was very competitive and difficult - 
only 42 papers were accepted. The success of the conference depends on the quality of 
the program. Thus, we are indebted to our Program Committee members and the exter- 
nal referees for the great job they did. These proceedings contain revised versions of the 
accepted papers. Revisions were not checked and the authors bear full responsibility for 
the content of their papers. 

Other persons deserve many thanks for their contribution to the success of the con- 
ference. Prof. Jose M. Troya was the Conference Chair, and Prof. Eiji Okamoto was 
General Co-chair. We sincerely thank both of them for their total support and encour- 
agement, and for their contribution to all organizational issues. Our special thanks to 
Jose A. Onieva, one of the major driving forces in the organization. He did a great job 
in the successful promotion of the conference, management of the WebReview applica- 
tion and assistance in the editorial process for the accepted papers. We also thank Jose 
A. Montenegro and Isaac Agudo for their help in those tasks. Without the hard work by 
these colleagues and the other members of the local organization team, this conference 
would not have been possible. 

Finally, we thank all the authors who submitted papers and the participants from all 
over the world who chose to honor us with their attendance. 



October 2004 



Javier Lopez 
Sihan Qing 




ICICS 2004 

6th International Conference 
on Information and Communications Security 



Malaga, Spain 
October 27-29, 2004 



Organized by 

Computer Science Department 
University of Malaga 
(Spain) 



Conference Chairman 

Jose M. Troya University of Malaga, Spain 



Program Co-chair 

Sihan Qing 

Program Co-chair, General Co-chair 

Javier Lopez 

General Co-chair 

Eiji Okamoto 

Program Committee 

Tuomas Aura 
Tom Berson 
Jeremy Bryans 
Alex Biryukov 
Colin Boyd 
Chin-Chen Chang 
Joris Claessens 
George Davida 
Ed Dawson 
Robert Deng 
Yvo Desmedt 
Josep Domingo 
Pierre- Alain Fouque 
Yair Frankel 



Chinese Academy of Sciences, China 



University of Malaga, Spain 



University of Tsukuba, Japan 



Microsoft Research, UK 
Anagram Laboratories, USA 
University of Newcastle, UK 
Katholieke Universiteit Leuven, Belgium 
Queensland Univ. of Technology, Australia 
National Chung Cheng University, Taiwan 
European Microsoft Innov. Center, Germany 
University of Wisconsin-Milwaukee, USA 
Queensland Univ. of Technology, Australia 
Institute for Infocomm Research, Singapore 
University College London, UK 
Universitat Rovira i Virgili, Spain 
Ecole Normale Superieure, France 
TechTegrity LLC, USA 




Organization YII 



Dieter Gollmann 


TU Hamburg-Harburg, Germany 


Yongfei Han 


ONETS, China 


Goichiro Hanaoka 


University of Tokyo, Japan 


Ki-Yoong Hong 


Secuve, Korea 


Sokratis Katsikas 


University of the Aegean, Greece 


Kwangjo Kim 


Information and Comm. University, Korea 


Chi- Sung Laih 


National Cheng Kung University, Taiwan 


Wenbo Mao 


HP Labs. Bristol, UK 


Masahiro Mambo 


Tohoku University, Japan 


Fabio Massacci 


Universita di Trento, Italy 


Catherine Meadows 


Naval Research Laboratory, USA 


Chris Mitchell 


Royal Holloway, UK 


Guevara Noubir 


Northeastern University, USA 


Rene Peralta 


Yale University, USA 


Giuseppe Persiano 


Universita di Salerno, Italy 


Josef Pieprzyk 


Macquarie University, Australia 


David Pointcheval 


Ecole Normale Superieure, France 


Jean-Jacques Quisquater 


Universite Catholique de Louvain, Belgium 


Kouichi Sakurai 


Kyushu University, Japan 


Miguel Soriano 


Universidad Politecnica de Catalunya, Spain 


Routo Terada 


University of Sao Paulo, Brazil 


Victor K. Wei 


Chinese Univ. Hong Kong, China 


Vijay Varadharajan 


Macquarie University, Australia 


Moti Yung 


Columbia University, USA 


Yulian Zheng 


University of North Carolina, USA 


Jianying Zhou 


Institute for Infocomm Research, Singapore 




VIII Organization 



External Referees 

Michel Abdalla 
Habtamu Abie 
Mohammed Anish 
Nuttapong Attrapadung 
Mauro Barni 
Lejla Batina 
Giampaolo Bella 
Siddika Berna Ors 
Enrico Blanzieri 
Andrea Boni 
An Braeken 
Mauro Brunato 
Dario Catalano 
Christophe De Canniere 
Roberto Caso 
Jordi Castella 
Jung-Hui Chiu 
Andrew Clark 
Yang Cui 
Claudia Diaz 
Jiang Du 

Marcel Fernandez 
Ernest Foo 
Jordi Forne 
Cedric Fournet 
Martin Gagne 
Paolo Giorgini 
Andy Gordon 
Fouis Granboulan 
Fabrizio Granelli 
Stefanos Gritzalis 
Joshua Goodman 
Juanma Gonzalez-Nieto 
Jaime Gutierrez 
DongGu Han 
Matt Henricksen 
Yvonne Hitchcock 
Yoshiaki Hori 
Fuigi Fo Iacono 
John Iliadis 
Kenji Imamoto 
QingGuang Ji 
Jianchun Jiang 



Ioanna Kantzavelou 
Tansel Kaya 
Hyung Kim 
Shinsaku Kiyomoto 
Tetsutaro Kobayashi 
Satoshi Koga 
Spyros Kokolakis 
Hristo Koshutanski 
Hartono Kurnio 
Kaoru Kurosawa 
Costas Fambrinoudakis 
Joseph Fano 
Dimitrios Fekkas 
Dequan Fi 
Gaicheng Fi 
Jung-Shian Fi 
Guolong Fin 
Piping Fi 

Anna Fysyanskaya 
Hengtai Ma 
Antonio Mana 
Carlo Marchetti 
Gwenaelle Martinet 
Antoni Martinez 
Bill Millan 
Kunihiko Miyazaki 
Anish Mohammed 
Costas Moulinos 
Jose A. Montenegro 
Haris Mouratidis 
Frederic Muller 
Bill Munro 
Jose F. Munoz 
Anderson C.A. 

Nascimento 
Svetla Nikova 
Masayuki Numao 
Koji Okada 
Jose A. Onieva 
Juan J. Ortega 
Thea Peacock 
Josep Pegueroles 
Kun Peng 



Bart Preneel 
Wei Qian 
Nataliya Rassadko 
Jason Reid 
Michael Roe 
Rodrigo Roman 
Carsten Rudolph 
Tatsiana Sabel 
Ryuichi Sakai 
Taiichi Saito 
Francesc Sebe 
Stefaan Seys 
SeongHan Shin 
Feonie Simpson 
Igor Shparlinski 
Ron Steinfeld 
Makoto Sugita 
Toshihiro Tabata 
Keisuke Takemori 
Keisuke Tanaka 
Fiuying Tang 
Vrizlynn Thing 
Theodoros Tzouramanis 
ZhiMin Sun 
Yoshifumi Ueshige 
Chao Wang 
Huaxiong Wang 
Shuhong Wang 
Yin Wang 
Weiping Wen 
Duncan S. Wong 
Hongjun Wu 
Mariemma Yague 
Kira Yamada 
Ching-Nung Yang 
Robbie Ye 
Nicola Zannone 
Rui Zhang 
Yongbin Zhou 
Xukai Zou 
Feng Zhu 
Alf Zugenmaier 




Table of Contents 



On the Minimal Assumptions of Group Signature Schemes 1 

Michel Abdalla and Bogdan Warinschi 

Perfect Concurrent Signature Schemes 14 

Willy Susilo, Yi Mu , and Fangguo Zhang 

New Identity-Based Ring Signature Schemes 27 

Javier Herranz and German Saez 

On the Security of a Multi-party Certified Email Protocol 40 

Jianying Zhou 

Robust Metering Schemes for General Access Structures 53 

Ventzislav Nikov, Svetla Nikova, and Bart Preneel 

PayFlux - Secure Electronic Payment in Mobile Ad Hoc Networks 66 

Klaus Herrmann and Michael A. Jaeger 

Flexible Verification of MPEG-4 Stream in Peer-to-Peer CDN 79 

Tieyan Li, Yongdong Wu, Di Ma, Huafei Zhu, and Robert H. Deng 

Provably Secure Authenticated Tree Based Group Key Agreement 92 

Ratna Dutta, Rana Barua, and Palash Sarkar 

Taxonomic Consideration to OAEP Variants and Their Security 105 

Yuichi Komano and Kazuo Ohta 

Factorization-Based Fail-Stop Signatures Revisited 118 

Katja Schmidt-Samoa 

A Qualitative Evaluation of Security Patterns 132 

Spyros T. Halkidis, Alexander Chatzigeorgiou, and George Stephanides 

Type Inferability and Decidability of the Security Problem 

Against Inference Attacks on Object-Oriented Databases 145 

Yasunori Ishihara, Yumi Shimakawa, and Torn Fujiwara 

Volatile Memory Computer Forensics to Detect Kernel Fevel Compromise 158 

Sandra Ring and Eric Cole 

A Secure Workflow Model Based on Distributed Constrained Role 

and Task Assignment for the Internet 171 

Ilanit Moodahi, Ehud Gudes, Oz Lavee, and Amnon Meisels 




X 



Table of Contents 



Hydan: Hiding Information in Program Binaries 187 

Rakan El-Khalil and Angelos D. Keromytis 

A Semi-fragile Steganographic Digital Signature for Images 200 

Luke Hebbes and Andrew Lenaghan 

Identification of Traitors Using a Trellis 211 

Marcel Fernandez and Miguel Soriano 

Decentralized Publish-Subscribe System to Prevent Coordinated Attacks 

via Alert Correlation 223 

Joaquin Garcia, Fabien Autrel, Joan Borrell, Sergio Castillo, 

Frederic Cuppens, and Guillermo Navarro 

Reflector Attack Traceback System with Pushback Based iTrace Mechanism .... 236 
Hyung-Woo Lee, Sung-Hyun Yun, Taekyoung Kwon, Jae-Sung Kim, 

Hee-Un Park, and Nam-Ho Oh 

Automatic Covert Channel Analysis of a Multilevel Secure Component 249 

Ruggero Lanotte, Andrea Maggiolo-Schettini, Simone Tini, 

Angelo Troina, and Enrico Tronci 

Sound Approximations to Diffie-Hellman Using Rewrite Rules 262 

Christopher Lynch and Catherine Meadows 

On Randomized Addition- Subtraction Chains 

to Counteract Differential Power Attacks 278 

Anton Kargl and Gotz Wiesend 

New Power Analysis on the Ha-Moon Algorithm and the MIST Algorithm 291 

Sang Gyoo Sim, Dong Jin Park, and Pil Joong Lee 

Modified Power- Analysis Attacks on XTR and an Efficient Countermeasure 305 

Dong-Guk Han, Tetsuya Izu, Jongin Lim, and Kouichi Sakurai 

Modelling Dependencies Between Classifiers in Mobile Masquerader Detection . . 318 
Oleksiy Mazhelis, Seppo Puuronen, and Jari Veijalainen 

Threat Analysis on NEtwork Mobility (NEMO) 331 

Souhwan Jung, Fan Zhao, S. Felix Wu, and HyunGon Kim 

Macro-level Attention to Mobile Agent Security: 

Introducing the Mobile Agent Secure Hub Infrastructure Concept 343 

Michelangelo Giansiracusa, Selwyn Russell, Andrew Clark, and Volker Roth 

Securing the Destination-Sequenced Distance Vector Routing Protocol 

(S-DSDV) 358 

Tao Wan, Evangelos Kranakis, and Paul C. van Oorschot 




Table of Contents 



XI 



Secret-Public Storage Trade-Off for Broadcast Encryption Key Management .... 375 
Miodrag J. Mihaljevic, Marc P. C. Fossorier, and Hideki Imai 

Security Analysis of the Generalized Self- shrinking Generator 388 

Bin Zhang, Hongjun Wu, Dengguo Feng, and Feng Bao 

On Asymptotic Security Estimates in XL 

and Grobner Bases-Related Algebraic Cryptanalysis 401 

Bo-Yin Yang, Jiun-Ming Chen, and Nicolas T. Courtois 

On Some Weak Extensions of AES and BES 414 

Jean Monnerat and Serge Vaudenay 



Clock Control Sequence Reconstruction in the Ciphertext Only Attack Scenario . . 427 
Slobodan Petrovic and Amparo Fuster-S abater 



Transient Fault Induction Attacks on XTR 440 

Mathieu Ciet and Christophe Giraud 

Adaptive-CCA on OpenPGP Revisited 452 

Hsi- Chung Lin, Sung -Ming Yen, and Guan-Ting Chen 

A New Key-Insulated Signature Scheme 465 

Nicolas Gonzalez-Deleito, Olivier Markowitch, and Emmanuel DalV Olio 

Secure Hierarchical Identity Based Signature and Its Application 480 

Sherman S.M. Chow, Lucas C.K. Hui, Siu Ming Yiu, and K.P. Chow 

Multi-designated Verifiers Signatures 495 

Fabien Laguillaumie and Damien Vergnaud 

Dynamic Access Control for Multi-privileged Group Communications 508 

Di Ma, Robert H. Deng, Yongdong Wu, and Tieyan Li 

An Efficient Authentication Scheme Using Recovery Information in Signature ... 520 
Kihun Hong and Souhwan Jung 

Time-Scoped Searching of Encrypted Audit Logs 532 

Darren Davis, Fabian Monrose, and Michael K. Reiter 

Rights-Carrying and Self-enforcing Information Objects 

for Information Distribution Systems 546 

Habtamu Abie, Pal Spilling, and Bent Foyn 

Author Index 563 




On the Minimal Assumptions 
of Group Signature Schemes 



Michel Abdalla 1 and Bogdan Warinschi 2 

1 Departement d’Informatique 
Ecole Normale Superieure 
45 me d’Ulm, 75230 Paris Cedex 05, France 
Michel . AbdallaOens . f r 
http : //www. michelabdalla.net 
2 Computer Science Department 
University of California at Santa Cruz 
1156 High Street, Santa Cruz, CA 95064, USA 
bogdan@cse . ucsc . edu 
http: //www. cs .ucsd.edu/~bogdan 



Abstract. One of the central lines of cryptographic research is iden- 
tifying the weakest assumptions required for the construction of secure 
primitives. In the context of group signatures the gap between what is 
known to be necessary (one-way functions) and what is known to be suf- 
ficient (trapdoor permutations) is quite large. In this paper, we provide 
the first step towards closing this gap by showing that the existence of 
secure group signature schemes implies the existence of secure public- 
key encryption schemes. Our result shows that the construction of se- 
cure group signature schemes based solely on the existence of one-way 
functions is unlikely. This is in contrast to what is known for standard 
signature schemes, which can be constructed from any one-way function. 

Keywords: Group signatures, one-way functions, trapdoor permuta- 
tions, minimal assumptions. 



1 Introduction 

Motivation. One of the central lines of cryptographic research is identifying 
the weakest assumptions required for the construction of secure primitives. This 
is important not only to better understand the different relations among exist- 
ing primitives, but also to learn the minimal conditions without which a certain 
primitive cannot exist. Yet another reason for finding the weakest assumptions 
is that stronger assumptions may later be found to be false while weaker as- 
sumptions may still hold. Therefore, by closing the gap between which primitive 
is sufficient and what is necessary to build a given cryptographic function such 
as encryption or group signatures, one can determine the exact conditions that 
need be met for them to exist. 

While several implications and separations are known in the literature for 
primitives such as standard signatures and public-key encryption, very little is 



J. Lopez, S. Qing, and E. Okamoto (Eds.): ICICS 2004, LNCS 3269, pp. 1-13, 2004. 
(c) Springer- Verlag Berlin Heidelberg 2004 




2 



Michel Abdalla and Bogdan Warinschi 



known for group signatures despite the intuition that the latter appears to be 
a stronger primitive than standard signatures. Currently, group signatures are 
only known to be implied by trapdoor permutations [9] and to imply one-way 
functions [30], a quite large gap. Addressing this problem is the main goal of 
this paper. 

Preliminaries. In order to better understand our results, let us briefly recall 
the definitions for the basic primitives given in Figure 1. The most basic of the 
cryptographic primitives is a one-way function. Loosely speaking, a function is 
said to be one-way if it is easy to compute (on any input) but hard to invert 
(on average), where easy means computable in polynomial time on the length 
of the input. Another basic primitive is a trapdoor one-way function , or simply 
trapdoor function, introduced by Diffie and Heilman [16] in the seminal work 
which laid out the foundations of public-key cryptography. Informally, a one- 
way function is said to be trapdoor if it has associated to it a secret trapdoor 
which allows anyone in its possession to easily invert it. The notions of one- 
way permutations and trapdoor permutations are defined in a similar manner. 
The notion of trapdoor predicates , introduced by Goldwasser and Micali [21], is 
slightly different. Approximately, trapdoor predicates are probabilistic functions 
over {0, 1} which are easy to compute given a public key but whose output 
distributions on inputs 0 and 1 are hard to distinguish by any algorithm not in 
possession of the trapdoor information. 

Since we will be using terms such as implications and separations throughout 
the paper, we should also recall what we mean by that. Consider for example two 
cryptographic primitives S and P. In order to properly relate their security, one 
usually makes use of reductions. More precisely, a primitive P is said to imply 
a primitive S if the security of P has been demonstrated to imply the security 
of S. More precisely, we use this phrase when someone has formally defined the 
goals Gp and Gs for primitives P and S', respectively, and then has proven 
that the existence of an adversary As who breaks primitive S, in the sense of 
violating G^, implies the existence of an adversary Ap who breaks primitive P, 
in the sense of violating Gp. 

Proving a separation between two primitives, however, is a more subtle prob- 
lem since it is not clear what it means to say that a given primitive does not 
imply another primitive. To overcome this problem, one usually uses the method 
due to Impagliazzo and Rudich [25] of restricting the class of reductions for which 
the separation holds. More specifically, they noted the fact that the vast majority 
of the reductions in cryptography uses the underlying primitive as a black-box 
and based on that, they introduced a method for proving separations between 
primitives with respect to these types of reductions. 

Background on group signatures. The notion of group signatures was in- 
troduced by Chaum and van Heyst [14] and describes a setting in which indi- 
viduals within a group can sign messages with respect to the group. According 
to [14], a secure group signature scheme should satisfy two basic requirements, 
anonymity and traceability. While the former says that the identity of the signer 
should remain unknown to anyone verifying the signature including other group 




On the Minimal Assumptions of Group Signature Schemes 



3 




Fig. 1 . Implications and black-box separations between primitives. 



elements, the latter asks that there should exist an entity, called the group man- 
ager, capable of revoking the anonymity of signer whenever necessary. 

Since the original work of Chaum and van Heyst [14], several other schemes 
have been proposed in the literature (e.g., [1,3,2,15,13,12,26]), each with its 
own set of security properties and requirements. It was only recently, however, 
that a formal model of security for group signatures was put forward [9] , combin- 
ing the increasing set of security requirements into two basic properties, called 
full- anonymity and full-traceability. These two basic properties were shown to 
imply in the case of static groups all of the existing security properties of previous 
scheme. Subsequent works also give formal definitions for dynamic groups [27, 
10 ]. 

Such formal definitions have many benefits. They not only allow for concrete 
and simpler proofs of security (only two properties need be satisfied), but they 
also allow us to better understand what it means to be a secure group signature 
scheme and its implications. It also allows us to draw precise relations between 
group signatures and other cryptographic primitives. In fact, the implications 
proven in this paper are only possible in the presence of such formal models of 
security. 

Contributions. In this paper, we provide the first step towards closing the 
gap between what is known to be sufficient to construct secure group signatures 
and what is known to be necessary. We do so by showing that group signatures 
imply public-key encryption and thus are unlikely to be constructed based solely 
on the existence of one-way functions (see Figure 1). 

The separation between group signatures and one-way functions is a direct 
consequence of our work and that of Impagliazzo and Rudich [25] which showed 
that any such construction would either make use of non-black-box reduction 
techniques or prove along the way that P ^ NP. Recently, in [29], Reingold, 
Trevisan, and Vadhan improved on that by removing the condition that P ^ 
NP. In other words, such construction would definitely have to rely on non- 
black-box reduction techniques. The implications of such results are of great 
importance since almost all reductions in cryptography are black-box. 

Related work. Over the years, several results proving either implications or 
separations among different primitives appeared in the literature. Among the 



4 



Michel Abdalla and Bogdan Warinschi 



results that are more relevant to our work are those for signatures and public- 
key encryption. 

Since the work of Goldwasser, Micali, and Rivest [22] proposing the con- 
struction of a secure signature scheme based on claw-free pairs and laying out 
the foundations of standard signatures, several other works followed aiming at 
establishing the weakest computational assumptions on which signature schemes 
could be based. The first of these works was the one of Bellare and Micali [8] 
showing how to construct signature schemes based on any trapdoor permuta- 
tions. Their work was soon followed by the work of Naor and Yung [28] showing 
how to build signatures from any universal one-way hash functions and by the 
work of Rompel [30] showing how to build signatures from any one-way function. 
The latter is in fact also known to be a necessary assumption. 

The picture in the case of public-key encryption and other primitives that 
are known to be implied by it (e.g., key exchange) is not as clear as in the case 
of standard signatures and is still the subject of active research [29,18,17,7]. 
Several of these results are discussed in Section 4, 

Another work that is similar in spirit to our work is the one of Halevi and 
Krawczyk [23] which shows that password-based authentication protocols imply 
public-key cryptography. 

Organization. In Section 2 we recall the formal models and security defini- 
tions for (static) group signatures and public-key encryption schemes. Next, in 
Section 3, we show how to build a secure public-key encryption scheme from a 
secure group signature scheme. We then prove the security of our construction 
based on the anonymity property of group signatures. Finally, we conclude our 
paper by discussing the implications of our result in Section 4. 

2 Definitions 

2.1 Preliminaries 

We will denote by \m\ the bit-length of a bit-string m. For any two arbitrary 
bit-strings mo and mi with \mo\ = \m\\ we denote by diff(mo,mi) = {i\mo[i\ ^ 
mi[i]}, i.e. the set of bit positions on which mo and m\ are different. 

As usual, a function /(•) is said to be negligible if for any polynomial p, there 
exists a natural number n p such that f{n) < for all n p < n. We will say 
that a function of two arguments /(•,•) is negligible, if for all polynomials p, the 
function g defined by g(k) = /(fc,p(fc)) is negligible. 



2.2 Public Key Encryption Schemes 

Encryption schemes. A public-key encryption scheme AS = (K e , Enc, Dec) 
is specified, as usual, by algorithms for key generation, encryption and decryp- 
tion. The security property that is most relevant for the results of this paper is 
indistinguishability under chosen-plaintext attack , in short IND-CPA. 




On the Minimal Assumptions of Group Signature Schemes 



5 



For completeness we now recall the definition. An (IND-CPA) adversary 
against AS is an algorithm A that operates in two stages, a choose stage and 
a guess stage. For a a fixed bit b, the adversary works as follows. In the first 
stage the algorithm is given a public key pk e for encryption, and at the end of 
this stage it outputs a pair of messages Mo and Mi . The input of the algorithm 
to the second stage is some state information, also produced at the end of the 
first stage, and a challenge ciphertext C that is an encryption of M5. At the 
end of the second stage the adversary outputs a guess bit d that selects one or 
the other message. The adversary wins if he guesses successfully which of the 
messages was encrypted. 

Let Exp^~^ paJ) (fc) denote the random variable representing the output of 
A in the above experiment, when pk e is obtained by running the key generation 
algorithm (with fresh coins) on security parameter k. The advantage function of 
A is defined as: 



Advjgr (*) = Pr 



-rn ind-cpa_l 

Exp,, / 



( ZM 






An encryption scheme AS is said to be IND-CPA secure if the advantage function 
Adv^"^ ca (-) is negligible for any polynomial-time adversary A. 



2.3 Group Signatures 

In this section we recall the relevant definitions regarding group signatures. The 
presentation in this section follows [9]. 

Syntax of group signature schemes. A group signature scheme QS = 
(GKg, GSig, GVf, Open) consists of four polynomial-time algorithms: 

• The randomized group key generation algorithm GKg takes input l k , l n , 
where k G N is the security parameter and n G N is the group size (ie. the 
number of members of the group), and returns a tuple (gpk , gmsk , gsk ) , 
where gpk is the group public key , gmsk is the group manager’s secret key , 
and gsk is an n- vector of keys with gsk [ i ] being a secret signing key for 
player i G [n\. 

• The randomized group signing algorithm GSig takes as input a secret signing 
key gsk[i ] and a message m to return a signature of m under gsk[i ] (i G [n]). 

• The deterministic group signature verification algorithm GVf takes as input 
the group public key gpk, a message m, and a candidate signature a for m 
to return either 1 or 0. 

• The deterministic opening algorithm Open takes as input the group manager 
secret key gmsk, a message m, and a signature a of m to return an identity 
i or the symbol _L to indicate failure. 

Correctness. A group signature scheme must satisfy the following correctness 
requirement: For all k,n G N, all (gpk, gmsk, gsk ) G [GKg(l /c , l n )], all i G [n\ 
and all m G {0, 1}* 

GVf(gpk, ra, GSig(gsk[i], ra)) = 1 and 0 pen (gmsk, m, G Sig (gsk [i], m)) = i . 




6 



Michel Abdalla and Bogdan Warinschi 



Experiment Expg^°^ b (/c, n) 

(. gpk,gmsk,gsk ) ^ GKg(l fc ,l") 

( St,io,ii,m ) 4 - /l 0pen(grnstr; ) (choose, gpk, gsk) ; a 4 - GSig(gsk[*f,], ra) 
d ^ A 0pen ( gmsk ’ ’ >(guess,St,(7) 

If A did not query its oracle with m, a in the guess stage then return d Endlf 
Return 0 



Fig. 2. Experiment used to define full- anonymity of a group signature scheme QS — 
(GKg, GSig, GVf, Open). Here A is an adversary, b £ {0, 1}, and St denotes state infor- 
mation passed by the adversary between stages. 



In [9] , the authors identify two security notions which are sufficient for defin- 
ing security of group signature schemes. Out of the two notions, termed in [9] 
full- anonymity and full-traceability respectively we recall the formalization of 
the first and only informally discuss the second. 

Full- ANONYMITY. Informally, anonymity requires that an adversary not in pos- 
session of the group manager’s secret key find it hard to recover the iden- 
tity of the signer from its signature. The formalization of [9] uses a strong 
indistinguishability-based formulation. Roughly an adversary is allowed to inter- 
act with the group signature by asking for signatures, and openings of signatures 
of its own choosing. At the end of this interaction which represents the choose 
stage, the adversary has to output a message m and two identities io and i\. As 
input to its second stage, the adversary receives state information it had output 
at the end of the choose stage and a challenge signature on m, created using one 
of the two identities chosen at random. The goal of the adversary is to determine 
which of the two users created the signature. 

The experiment defining full- anonymity is given in Figure 2. 

The advantage of an adversary A in breaking the full-anonimity of a group 
signature scheme QS is denoted by 



Adv^(fc,n) = Pr [Exp^ 1 (k,n) = l] - Pr [Exp"(fc,n) = l] . 

A group signature scheme QS is said to be fully- anonymous if for any polynomial- 
time adversary A , the two-argument function Adv^^(-, •) is negligible (as de- 
fined in Section 2.1.) 

Full-traceability. Full-traceability refers to the ability of the group manager 
to revoke anonymity of signers. Informally it requires that no colluding set S of 
group members, comprised potentially of the whole group, can create signatures 
that cannot be traced back to some member of S. A formalization of this property 
appears in [9] , and we omit it here since is not relevant to the results of this paper. 

The main result of [9] is to show that if trapdoor functions exist then group 
signature schemes that are fully- anonymous and fully-traceable also exist. 





On the Minimal Assumptions of Group Signature Schemes 



7 



3 Group Signature Schemes 

Imply Public Key Cryptography 

In this section, we show how to construct a secure public key encryption scheme 
given any secure group signature scheme. 



3.1 Construction 

Fix an arbitrary group signature scheme QS = (GKg, GSig, GVf, Open). The idea 
of our construction is the following. Consider an instance of QS in which the 
group of signers has size 2, i.e. it only contains users 0 and 1. Consider the 
following encryption scheme, A£[QS]: the public key consists of the signature 
verification key of the group gpk , together with the signing keys of users 0 
and 1, i.e. the vector gsk = (gslc[0], gslc[l]). The associated secret key consists 
of the group verification key together with the group manager secret key. The 
encryption of message M = bobi . . . b n with bi E {0,1} is done bit by bit, where 
the encryption of the bit b is a signature on some fixed message 0 using the group 
signing key of user b. The decryption is immediate: to decrypt the encryption 
a of a bit b, simply verify that cr is a valid group signature, and if so use the 
group manager’s secret key to recover the identity of the signer (i.e. b). This 
immediately extends to arbitrary length messages. 

We give the full details of our construction in Figure 3. 



Algorithm K e (l fe9 ) 
n <— 2 

(gpk, gmsk, gsk ) 4- GKg(l fc s , i») 
ske <- (gpk, gmsk ) 

Pk e <- (gpk, gsk) 

Return ( pk e ,sk e ) 


Algorithm Enc(pk e ,M) 
Parse pk e as (gpk, gsk ) 
l <— \M\ 

Parse M as b\ . . . bi 
For i = 1 . . . 1 do 

(Ti GSig(gsJc[&i], 0 ) 
Return (a ±, . . . , 07 ) 


Algorithm Dec(sk e ,C) 

Parse sk e as (gpk, gmsk) 

Parse C as <ti . . . ai 
For i = 1 . . . 1 do 

If GVf (gpk, 0, — 0 Then 

Return T 

bi Open (gmsk, 0 , ai) 

If bi 0 {0, 1} Then 
Return T 

Return M — bi . . . bi 



Fig. 3. Construction of an IND-CPA secure public-key bit-encryption scheme 
AS[QS] — (K e ,Enc, Dec) based on any secure group signature scheme QS — 

(GKg, GSig, GVf, Open). 





8 



Michel Abdalla and Bogdan Warinschi 



3.2 Security Proof 

Let B be an adversary attacking the IND-CPA security of the encryption scheme 
AS[QS). We show how to construct an adversary A against the group signature 
scheme QS such that 

Ad v^X(fc) < PA(k) ■ Adv^fc, 2) , (1) 

where pj^{k) is some polynomial bounding the running time of adversary A. 
Since we assumed that QS is fully-anonymous, the function on the right-hand 
side of the inequality is negligible so AS is an IND-CPA secure encryption scheme. 



Adversary M(choose, gpk, gsk) 


Adversary M(guess, St x , a) 


(St, mo, mi) B(choose, (gpk, gsk)) 


Parse St' as (St, mo, mi , gpk, gsk, j) 


j d iff (mo, mi) 


For i <- 1, , . . , j - 1 


St' <— (St, m 0 , mi, gpk, gsk, j) 


cr i GSig (gsk [m 0 [z]], 0) 


Return (St' , mo [j ] , mi [j] , 0) 


For i j + 1, . . . , n 

(Ji GSig(gsk[mi[z]], 0) 

Gj <- cr 

Let d k>(guess, St, (<ji, . . . , ai)) 
Output d 



Fig. 4. Construction of an adversary A against QS from an adversary B against 
AS[QS\. 



The algorithm A is given in Figure 4. In the guess stage, A runs the guess 
stage of algorithm B for encryption scheme AS and obtains two messages mo 
and mi. These messages, together with the state information output by B is 
forwarded to the choose stage of A. In this stage, A selects at random a position 
j on which mo and mi are different, and creates a challenge ciphertext for B. 
The challenge ciphertext is an encryption (gpk, gsk ) of a word which on its first 
j — 1 positions coincides with mi and on its last n — j positions coincides with 
mo, where n = |mo| = |mi|. The bit b on position j in the plaintext encrypted 
by the challenge ciphertext is precisely the identity of the player that generated 
the challenge signature a which A received from its environment. 

For some fixed messages mo and mi, let us denote by so, . . . , s p the sequence 
of p = | d iff (mo, mi) | words such that so = mo, s p = mi, and any two consecutive 
words S{— i and Si differ exactly in one bit position. More precisely, let j be the 
element of rank i in d iff (mo, mi). We can construct word Si from word si-i by 
flipping the j- th bit of i, for i = 1, . . . , p. Now, let i be the rank of the value 
j selected by A during the choose stage of A. Therefore, adversary B receives as 
challenge either the encryption of Si-i or the encryption of s^, depending on the 
key used to create challenge signature a. With this in mind, notice that in the 
experiment Expg^ ^ b (fc, 2) (for b G {0, 1}), adversary A successfully guesses the 
bit b whenever adversary B correctly identifies if the challenge ciphertext is the 





On the Minimal Assumptions of Group Signature Schemes 



9 



encryption of Si-i or that of Si. To simplify notation, we will write 6(Enc(pk, Si)) 
for S(guess, St, En c( (gpk, gsk). Si )). It follows from the above discussion that 

|diff(m 0 ,mi)| 

Pr[Ex^y(*.2) = l]= |diff(mo , mi)| E PrlSfEncfpi, .,-)) = !] 



Pr[Exp S V(t.2) = l]= |diff(m 1 ii mi)| g Pr [i?(Enc(pif, Sj)) 5 == 1] , 

where the first factor represents the probability that the value j selected by A 
has rank i. Let p = |diff(rao, mi)|. We can now bound the advantage of A by: 



Ad vg^(M) = 

= Pr [Exp"(fc,2) = 1] - Pr [Exp"(fc,2) = l] 

i p i p 

= - • X) Pr [ B(Er\c(pk, *)) = 1 ] - - • ^ Pr [ £(Enc(pi, )) = 1 ] 

^ * i — 1 ^ * i — i 



= ~ ' E (Pr [6(Enc(pic, s*)) 



P ^ 

1 f=l 



= - • (Pr [S(Enc(pk, s p )) = 1 
= — • (Pr [S(Enc(pk, mi)) = 

= i - Adv5J;rw 



> 



\m 0 \ 



Adv 



ind-cpa 

AS, B 



(k) 



= 1] — Pr [B(Er\c(pk, s»_i)) = 1]) 

] — Pr [£>(Enc(pic, s 0 )) = 1]) 

1] - Pr [i3(Enc(pic,TO 0 )) = 1]) 



We can also bound the length of m o by the total running of algorithm A , 
which is some polynomial Pa(’) in the security parameter. As a result, 

Adv£&(*,2) > ■ Adv5*g“(l) 

which gives the result claimed in Equation 1 by rearranging the terms. 

Remark 1. The encryption scheme A£[QS] in Figure 3 can also be proven to be 
IND-CCA secure if we restrict the length of the messages being encrypted to 1 
(i.e., the plaintext is just a single bit). Note that, in this special case, we can 
easily simulate the decryption oracle given to the adversary B using the oracle 
for the opening algorithm Open from the experiment for anonymity. 




10 



Michel Abdalla and Bogdan Warinschi 



Remark 2. In [11], Boneh, Boyen, and Shacham define a weaker variant of the 
full- anonymity property, called CPA- full- anonymity, in which the Open oracle is 
not given to the adversary in the experiment for anonymity. Since the proof that 
secure group signatures imply IND-CPA public- key encryption does not rely on 
the Open oracle, the implication still stands even in their weaker security model. 

4 Concluding Remarks 

The main advantage of proving that the existence of secure group signature 
schemes implies public-key encryption schemes is that one can apply several 
of the results that are known for public-key encryption to the case of group 
signatures. Here we highlight the most important ones. 

Group signatures from one-way functions. Given that standard signature 
schemes can be constructed from any one-way function, one may wonder whether 
the same is true for group signatures. Unfortunately, this does not seem to be the 
case. In particular, such construction would need to use non-black-box reduction 
techniques when proving its security [25,29]. Loosely speaking, a non-black-box 
reduction from a cryptographic scheme to a given primitive is a reduction in 
which either the code of the primitive is used in a non-black-box manner by the 
cryptographic scheme or the code of the adversary against the cryptographic 
scheme is explicitly used when building an adversary against the primitive. 

As pointed out in [29] , many of the examples of cryptographic schemes that 
make use of the primitive’s code come from constructions making use of the 
general construction of zero-knowledge proofs for NP languages of Goldreich 
et al. [20,19], as their construction is non-black-box. However, it was recently 
found [4, 6, 5] that reductions making use of the adversary’s code in the proof 
of security were found and they are considered one of main breakthroughs in 
the area of zero-knowledge. Nevertheless, we would like to stress that almost 
all reductions in cryptography are black-box and the examples of non-black-box 
reductions are very few. Hence, it is unlikely that group signatures can be built 
from one-way functions. 

On the minimal assumption for group signatures. Despite the difficulty 
of constructing group signature schemes from one-way functions, one may won- 
der whether it is possible to build group signature from apparently stronger 
assumptions such as trapdoor predicates or (poly-to-one) trapdoor functions. A 
poly-to-one trapdoor function is a trapdoor function where the number of pre- 
images for any point in the range is polynomially-bounded. However, the picture 
in this case is not so clear and such constructions may or may not be possible. 
For this reason, we review some results which may be of importance to us. 

The first of these results is the one of Bellare et al. [7] that shows the the 
restriction on the pre-image size of trapdoor functions is an important one since 
super-poly-to-one trapdoor functions can be constructed from one-way func- 
tions [7]. On the other hand, poly-to-one trapdoor functions are also known to 
imply trapdoor predicates [7,31], which in turn are known to be equivalent to 
to secure public-key encryption [21]. 




On the Minimal Assumptions of Group Signature Schemes 



11 



Another relevant result is the one due to Gertner et al. [18] which shows 
that no black-box reductions exist from trapdoor predicates to poly-to-one trap- 
door functions. In fact, their result shows that it might be possible to construct 
trapdoor predicates (i.e., public-key encryption) based on assumptions that are 
strictly weaker than (poly-to-one) trapdoor functions, with respect to black-box 
reductions. 

Another separation that is important to our work is the one from Gertner 
et al. [17] which shows that there are no black-box constructions of trapdoor 
permutations from trapdoor functions. Their result seems to indicate that the 
latter assumption is stronger than (poly-to-one) trapdoor functions. 

Apart from the fact that trapdoor permutations imply group signatures [9] 
and that the latter implies trapdoor predicates (this paper), the impossibil- 
ity of black-box reductions from trapdoor predicates to trapdoor functions to 
trapdoor permutations leaves completely open the remaining relations between 
these primitives and group signatures. Therefore, constructions of group signa- 
tures based on trapdoor functions or trapdoor predicates may still be possible. 
Turning to the other side of the coin, the construction of any of these primitives 
from group signatures may also be possible. 

Acknowledgment s 

The first author has been supported in part by the European Commission 
through the 1ST program under the IST-2002-507932 ECRYPT contract and 
in part by a CNRS postdoctoral grant. The second author was supported by the 
NSF Career Award CCR-0208800. 

References 

1. G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik. A practical and provably secure 
coalition-resistant group signature scheme. In M. Bellare, editor, CRYPTO 2000 , 
volume 1880 of LNCS , pages 255-270, Santa Barbara, CA, USA, Aug. 20-24, 2000. 
Springer- Verlag, Berlin, Germany. 

2. G. Ateniese and G. Tsudik. Group signatures A la carte. In ACM, editor, 10th 
SODA , pages 848-849, Baltimore, Maryland, USA, Jan. 17-19, 1999. ACM-SIAM. 

3. G. Ateniese and G. Tsudik. Some open issues and new directions in group sig- 
natures. In M. Franklin, editor, FC’99 , volume 1648 of LNCS , pages 196-211, 
Anguilla, British West Indies, Feb. 1999. Springer- Verlag, Berlin, Germany. 

4. B. Barak. How to go beyond the black-box simulation barrier. In IEEE, editor, 
42nd FOCS , pages 106-115, Las Vegas, USA, Oct. 14-17, 2001. IEEE Computer 
Society Press. 

5. B. Barak. Constant-round coin-tossing with a man in the middle or realizing 
the shared random string model. In IEEE, editor, 4$nd FOCS , pages 345-355, 
Vancouver, Canada, Nov. 16-19, 2002. IEEE Computer Society Press. 

6. B. Barak, O. Goldreich, S. Goldwasser, and Y. Lindell. Resettably-sound zero- 
knowledge and its applications. In IEEE, editor, 42nd FOCS , pages 116-125, Las 
Vegas, USA, Oct. 14-17, 2001. IEEE Computer Society Press. 




12 



Michel Abdalla and Bogdan Warinschi 



7. M. Bellare, S. Halevi, A. Sahai, and S. P. Vadhan. Many-to-one trapdoor func- 
tions and their ralation to public-key cryptosystems. In H. Krawczyk, editor, 
CRYPTO’98 , volume 1462 of LNCS , pages 283-298, Santa Barbara, CA, USA, 
Aug. 23-27, 1998. Springer- Verlag, Berlin, Germany. 

8. M. Bellare and S. Micali. How to sign given any trapdoor function. Journal of the 
ACM , 39(1):214— 233, 1992. 

9. M. Bellare, D. Micciancio, and B. Warinschi. Foundations of group signatures: 
Formal definitions, simplified requirements, and a construction based on general 
assumptions. In E. Biham, editor, EUROCRYPT 2003 , volume 2656 of LNCS , 
pages 614-629, Warsaw, Poland, May 4-8, 2003. Springer- Verlag, Berlin, Germany. 

10. M. Bellare, H. Shi, and C. Zhang. Foundations of group signatures: The case 
of dynamic groups. Cryptology ePrint Archive, Report 2004/077, 2004. http: 
/ / eprint . iacr . org/. 

11. D. Boneh, X. Boyen, and H. Shacham. Short group signatures. In M. Franklin, edi- 
tor, CRYPTO 2004 , LNCS, Santa Barbara, CA, USA, Aug. 15-19, 2004. Springer- 
Verlag, Berlin, Germany. 

12. E. Bresson and J. Stern. Efficient revocation in group signatures. In K. Kim, 
editor, PKC 2001 , volume 1992 of LNCS , pages 190-206, Cheju Island, South 
Korea, Feb. 13-15, 2001. Springer- Verlag, Berlin, Germany. 

13. J. Camenisch. Efficient and generalized group signatures. In W. Fumy, editor, 
EUROCRYPT’97 , volume 1233 of LNCS , pages 465-479, Konstanz, Germany, 
May 11-15, 1997. Springer- Verlag, Berlin, Germany. 

14. D. Chaum and E. van Heyst. Group signatures. In D. W. Davies, editor, EURO- 
CRYPT’91 , volume 547 of LNCS , pages 257-265, Brighton, UK, Apr. 8-11, 1991. 
Springer- Verlag, Berlin, Germany. 

15. L. Chen and T. P. Pedersen. New group signature schemes. In A. D. Santis, editor, 
EUROCRYPT’94 , volume 950 of LNCS , pages 171-181, Perugia, Italy, May 9-12, 
1994. Springer- Verlag, Berlin, Germany. 

16. W. Diffie and M. Heilman. New directions in cryptography. IEEE Transactions 
on Information Theory , 22:644-654, 1978. 

17. Y. Gertner, S. Kannan, T. Malkin, O. Reingold, and M. Viswanathan. The rela- 
tionship between public key encryption and oblivious transfer. In IEEE, editor, 
41st FOCS , pages 325-335, Las Vegas, USA, Nov. 12-14, 2000. IEEE Computer 
Society Press. 

18. Y. Gertner, T. Malkin, and O. Reingold. On the impossibility of basing trapdoor 
functions on trapdoor predicates. In IEEE, editor, 4^nd FOCS , pages 126-135, 
Las Vegas, USA, Oct. 14-17, 2001. IEEE Computer Society Press. 

19. O. Goldreich, S. Micali, and A. Wigderson. Proofs that yield nothing but their 
validity and a methodology of cryptographic protocol design. In IEEE, editor, 27th 
FOCS , pages 174-187. IEEE Computer Society Press, 1986. 

20. O. Goldreich, S. Micali, and A. Wigderson. Proofs that yield nothing but their 
validity or all languages in NP have zero-knowledge proof systems. Journal of the 
ACM , 38(3):691-729, 1991. 

21. S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and 
System Science , 28:270-299, 1984. 

22. S. Goldwasser, S. Micali, and R. Rivest. A digital signature scheme secure against 
adaptive chosen- message attacks. SIAM Journal on Computing , 17(2) :28 1-308, 
Apr. 1988. 

23. S. Halevi and H. Krawczyk. Public- key cryptography and password protocols. In 
ACM Transactions on Information and System Security , pages 524-543. ACM, 
1999. 




On the Minimal Assumptions of Group Signature Schemes 



13 



24. R. Impagliazzo and M. Luby. One-way functions are essential for complexity- 
based cryptography. In IEEE, editor, 30th FOCS , pages 230-235. IEEE Computer 
Society Press, 1989. 

25. R. Impagliazzo and S. Rudich. Limits on the provable consequences of one-way per- 
mutations. In ACM, editor, 21st ACM STOC , pages 44-61, Seattle, Washington, 
USA, May 15-17, 1989. ACM Press. 

26. A. Kiayias and M. Yung. Extracting group signatures from traitor tracing schemes. 
In E. Biham, editor, EUROCRYPT 2003 , volume 2656 of LNCS , pages 630-648, 
Warsaw, Poland, May 4-8, 2003. Springer- Verlag, Berlin, Germany. 

27. A. Kiayias and M. Yung. Group signatures: Provable security, efficient construc- 
tions and anonymity from trapdoor-holders. Cryptology ePrint Archive, Report 
2004/076, 2004. http://eprint.iacr.org/. 

28. M. Naor and M. Yung. Universal one-way hash functions and their cryptographic 
applications. In ACM, editor, 21st ACM STOC , pages 33-43, Seattle, Washington, 
USA, May 15-17, 1989. ACM Press. 

29. O. Reingold, L. Trevisan, and S. P. Vadhan. Notions of reducibility between cryp- 
tographic primitives. In M. Naor, editor, TCC 2004 > volume 2951 of LNCS , pages 
1-20, Cambridge, MA, USA, Feb. 19-21, 2004. Springer- Verlag, Berlin, Germany. 

30. J. Rompel. One-way functions are necessary and sufficient for secure signatures. 
In ACM, editor, 22nd ACM STOC , pages 387-394, Baltimore, Maryland, USA, 
May 14-16, 1990. ACM Press. 

31. A. C. Yao. Theory and applications of trapdoor functions. In IEEE, editor, 23rd 
FOCS , pages 80-91. IEEE Computer Society Press, 1982. 




Perfect Concurrent Signature Schemes 



Willy Susilo 1 , Yi Mu 1 , and Fangguo Zhang 2 

1 School of Information Technology and Computer Science 
University of Wollongong 
Wollongong 2522, Australia 

{wsusilo , ymu}@uow . edu . au 

2 Department of Electronics and Communication Engineering 
Sun Yat-Sen University 
Guangzhou 510275, P.R. China 
isdzhf g@zsu . edu . cn 



Abstract. The notion of concurrent signatures was recently introduced 
by Chen, Kudla and Paterson in their seminal paper in [5]. In concur- 
rent signature schemes, two entities can produce two signatures that are 
not binding, until an extra piece of information (namely the keystone ) is 
released by one of the parties. Upon release of the keystone, both signa- 
tures become binding to their true signers concurrently. In this paper, 
we extend this notion by introducing a new and stronger notion called 
perfect concurrent signatures. We require that although both signers are 
known to be trustworthy, the two signatures are still ambiguous to any 
third party (c.f. [5]). We provide two secure schemes to realize the new 
notion based on Schnorr’s signature schemes and bilinear pairing. These 
two constructions are essentially the same. However, as we shall show in 
this paper, the scheme based on bilinear pairing is more efficient than 
the one that is based on Schnorr’s signature scheme. 



1 Introduction 

Consider a situation where Alice would like to purchase a laptop from Bob. Alice 
signs a payment instruction to pay Bob the price of the laptop, and Bob agrees 
by signing a statement that he authorizes her to pick the laptop up from the 
shop. We need to achieve a situation where both Alice’s and Bob’s signatures are 
binding at the same time. In this particular scenario, the signature will be binding 
when Alice picks up her laptop from the shop. Alice’s payment instruction will be 
binding, and Bob’s signature (or the receipt) will also be binding to allow Alice to 
pick up her laptop. This is a typical application where concurrent signatures are 
applicable, as introduced in their seminal paper in [5]. The signature from both 
parties will be simultaneously binding after the so-called “keystone” is released 
by one of the party involved. 

In [5], Chen, Kudla and Paterson presented a concrete concurrent signature 
scheme based on a variant of Schnorr based ring signature scheme [1]. In their 
scheme, any third party cannot be convinced that a signature has indeed been 



J. Lopez, S. Qing, and E. Okamoto (Eds.): ICICS 2004, LNCS 3269, pp. 14-26, 2004. 
(c) Springer- Verlag Berlin Heidelberg 2004 




Perfect Concurrent Signature Schemes 



15 



signed by one particular signer, since any signer can always generate this signa- 
ture by himself/ herself. However, we note that in a situation where Alice and Bob 
are known to be honest players, any third party can be sure that both signers 
have signed the messages even before the keystone is released. We will highlight 
this idea in Section 3. In this paper, we firstly extend this notion to perfect 
concurrent signature schemes , which will allow full ambiguity of the concurrent 
signatures, even both signers are known to be trustworthy. 

Our Contribution 

In this paper, we firstly introduce a stronger notion of concurrent signature 
schemes namely perfect concurrent signature schemes. We argue that this notion 
is extremely important, especially in the case where both signers are known to 
be trustworthy. We provide two concrete schemes to satisfy this model, and 
show their security proofs. Our first scheme is based on a variant of Schnorr ring 
signature scheme, and our second scheme is based on bilinear pairing. These two 
schemes are essentially the same. However, our second scheme is more efficient 
that the first one. 

The rest of this paper is organized as follows. In the next section, we will 
review some of the previous and related works in this area. In section 3, we 
recall the notion of concurrent signatures introduced in [5], and analyze the 
concrete signature scheme proposed in the same paper. As we shall show in 
this section, if both parties are honest, then any third party can be sure who has 
issued the published signatures. We strengthen this notion by introducing perfect 
concurrent signatures in section 4. We provide a concrete perfect concurrent 
signature scheme based on Schnorr’s signature scheme in section 5 and based on 
bilinear pairing in section 6. Section 7 concludes this paper. 

2 Related Work 

Fair exchange in digital signatures has been considered as a fundamental problem 
in cryptography. Fairness in exchanging signatures is normally achieved with the 
help of a trusted third party (TTP) (which is often offline). There were some at- 
tempts where a fair exchange of signatures can be achieved with a “semi-trusted” 
TTP who can be called upon to handle disputes between signers [2]. This type 
of fair exchanges is also referred to as optimistic fair exchange. The well-known 
open problem in fair exchange is the requirement of a dispute resolving TTP 
whose role cannot be replaced by a normal certification authority. 

In [8], the notion of ring signatures was formalized and an efficient scheme 
based on RSA was proposed. A ring signature scheme allows a signer who knows 
at least one secret information (or trapdoor information) to produce a sequence 
of n random permutation and form them into a ring. This signature can be 
used to convince any third party that one of the people in the group (who 
knows the trapdoor information) has authenticated the message on behalf of the 
group. The authentication provides signer ambiguity , in the sense that no one 
can identify who has actually signed the message. In [1], a method to construct 




16 Willy Susilo, Yi Mu, and Fangguo Zhang 

a ring signature from different types of public keys, such as these for integer 
factoring based schemes and discrete log based schemes, was proposed. The 
proposed scheme is more efficient than [8]. The formal security definition of a 
ring signature is also given in [1]. 

Recently, the notion of concurrent signatures was introduced in [ 5 ] . This type 
of signature schemes allows two parties to produce two signatures in such a way 
that, from the point of view of any third party, both signatures are ambiguous 
until an extra piece of information, called the keystone , is released by one of the 
parties. Upon releasing the keystone, both signatures become binding to their 
true signers concurrently. Concurrent signature schemes fall just short of solving 
the full TTP problem in fair exchange of signatures, because it still requires a 
certification authority (like a normal signature scheme). 

In concurrent signatures, there are two parties involved in the protocol, 
namely A and B (or Alice and Bob, resp.). Since one party is required to create 
a keystone and send the first message to the other party, we call this party as the 
initial signer. A party who responds to the initial signature by creating another 
signature with the same keystone fix is called a matching signer. Without loss 
of generality, we assume A to be the initial signer and B the matching signer. 



2.1 Bilinear Pairing 

Let Gi be a cyclic additive group generated by P, whose order is a prime g, and 
G2 be a cyclic multiplicative group with the same order q. Let e : Gi x Gi — > G2 
be a map with the following properties: 

1. Bilinearity: e(aP, bQ ) = e(P, Q) ab for all P, Q G Gi, a, b G Z q 

2 . Non-degeneracy: There exists P, Q G G\ such that e(P, Q) 7^ 1 , in other 
words, the map does not send all pairs in Gi x Gi to the identity in G2; 

3 . Computability: There is an efficient algorithm to compute e(P, Q ) for all 
P, Q G Gi . 

In our setting of prime order groups, the Non-degeneracy is equivalent to 
e(P, Q) 7^ 1 for all P, Q G Gi. So, when P is a generator of Gi, e(P, P) is a 
generator of G2. Such a bilinear map is called a bilinear pairing (more exactly, 
called an admissible bilinear pairing). 

Definition 1. Bilinear Diffie-Hellman (BDH) Problem. 

Given a randomly chosen P G Gi, as well as aP,bP and cP (for unknown 
randomly chosen a, 6, c G Z q ), compute e(P, P) a6c . 

For the BDH problem to be hard, Gi and G2 must be chosen so that there is 
no known algorithm for efficiently solving the Diffie-Hellman problem in either 
Gi or G2. We note that if the BDH problem is hard for a pairing e, then it 
follows that e is non-degenerate. 



Definition 2. Bilinear Diffie-Hellman Assumption. 

IfTQ is a BDH parameter generator , the advantage Advxg(A) that an algorithm 




Perfect Concurrent Signature Schemes 



17 



A has in solving the BDH problem is defined to be the probability that the algo- 
rithm A outputs e(P,P) abc on inputs Gi, G2, e, P, aP, 6 P, cP, where (Gi,G2,e) 
is the output of XQ for sufficiently large security parameter I, P is a random 
generator of Gi and a,b,c are random elements of Z q . The BDH assumption is 
that kdvzg(A) is negligible for all efficient algorithms A. 

2.2 Signature Knowledge of Representation 

The first signature based on proof of knowledge (SPK) was proposed in [ 3 , 4 ]. 
We will use the following definition of SPK from [ 3 ]. 

Let q be a large prime and p = 2 q + 1 be also a prime. Let G be a finite cyclic 
group of prime order p. Let g be a generator of Z* such that computing discrete 
logarithms of any group elements (apart from the identity element) with respect 
to one of the generators is infeasible. Let H : {0, 1}* —> {0, 1 } £ denote a strong 
collision-resistant hash function. 

Definition 3. A pair (c, s) G {0,1}^ x Z p satisfying c = H(g\ \y\ \g s y c \ \m) is a 
signature based on proof of knowledge of discrete logarithm of a group element y 
to the base g of the message m G {0, 1}* and is denoted by SPK {a : y = g a }(m). 

An SPK {a : y = g a }(m) can only be computed if the value (secret key) a = 
log (y) is known. This is also known as a non-interactive proof of the knowledge 
<x 

Definition 4. A pair (c,s) satisfying c = H(h\ \g\ \z\ \y\ \h s z c \ \g s y c \ \m) is a sig- 
nature of equality of the discrete logarithm problem of the group element z with 
respect to the base h and the discrete logarithm of the group element y with re- 
spect to the base g for the message m. It is denoted by SPKEQ{a : y = g a Az = 
h a }(m). 

This signature of equality can be seen as two parallel signatures of knowledge 
SPK {a : y = g a }(m) and SPK {a : 2 = h a }(m ), where the exponent for the 
commitment, challenge and response are the same. It is straightforward to see 
that this signature of equality can be extended to show the equality of n parallel 
signatures of knowledge SPK using the same technique. 

3 Review on Concurrent Signatures 

As defined in [ 5 ], concurrent signatures are digital signature schemes that con- 
sist of four algorithms: SETUP, ASIGN, AVERIFY and VERIFY. In [ 5 ], a generic 
construction of concurrent signatures was proposed. 

Ambiguity of Concurrent Signatures 

Having observed the two signatures (<71,02) published, any third party A can 
conclude one of the following: i) Both signatures (<71,02) were generated by A. 
ii) Both signatures (oq, <72) were generated by B. iii) <71 was generated by A and 
<7 2 was generated by B. iv) oq was generated by B and a 2 was generated by A. 
Hence, the success probability of a third party A to correctly guess the signers is 
bounded by Succ^f (oq, 02) < 4 • Pr[cq = oq A aj = 02] — 1 where i, j G {A, B}. 




18 



Willy Susilo, Yi Mu, and Fangguo Zhang 



3.1 Chen et. al. ’s Concrete Concurrent Signatures Protocol 

The scheme consists of four algorithms. 

— SETUP is probabilistic algorithm that sets up all parameters including keys. 
It selects two large primes p, q for q\p— 1 and a generator g G Z* of order q. It 
also generates two cryptographic hash functions Hi, #2 : {0, 1}* — > 7L q . Say, 
Alice and Bob are two parties involved in the system. Upon completion of the 
setup, Alice obtains her private key xa G 7L q and the corresponding public 
key ha = g XA (mod p) and Bob obtains xb G Z g , ys = g XB (mod p) as 
his private key and public key. 

— ASIGN is a probabilistic algorithm that takes as input (yA,yB,Xi, f), where 
i G (A, B) and / = H\{k) for the keystone k G {0,1}* and outputs an 
ambiguous signature a p To sign a message Ma, Alice picks a random r G 7L q 
and a keystone k and then computes / = H\(k) and 

h = H 2 (g r y f B (mod p)\\M A ), h A = h-f (mod q),s A =r-h A XA (mod q). 

The output from the algorithm is the signature on M\ a a = (sa,^a,/), 
which is then sent to Bob. 

— AVERIFY is an algorithm that takes as input Si = (cq, y^ pj, Mi) and outputs 
accept or reject. Given Sa = (<ta> Pa, Vb, M), Bob checks the equality: 

h A + f = H 2 {g SA y h A A y[ \ (mod p)\\M A ) (mod q ). (1) 

If it holds, accept the signature; otherwise, reject. If the signature is ac- 
cepted, Bob signs message Mb by using (jja, yB, %b, /)• The resulting signa- 
ture is a B = ( s B , h B , /), where ti = H 2 (g r 'y f A (mod p)\\M B ), h B = h' - f 
(mod q), s B = r' — h B x B (mod q). r' is a random number selected from 
Z q . He then sends to Alice. Upon receiving cr^, Alice checks whether or 
not / is the same as the one used by herself. If not, abort. Otherwise, Alice 
checks the equality: 

h B + f = H 2 (g SB y B B y A (mod p)\\M B ) (mod q). (2) 

If it holds, Alice sends k to Bob. 

— VERIFY is an algorithm that takes as input (k, Si) and checks if H\(k) = /. 
It not, it terminates the process. Otherwise, it runs AVERIFY (Si). 

In the original paper, it was claimed that both a a and gb provide identity 
ambiguity. After the keystone k is released by one of parties, the ambiguity is 
removed, and hence, the identity of the signers is revealed and the signatures 
become binding. Therefore, fairness in exchange of signatures is achieved. 



3.2 On the Ambiguity of Chen et. a/.’s Concurrent Signatures 

In the concrete scheme of [5], in some circumstances, any third party can be 
sure about the originators of the two publicly available valid signatures. For 




Perfect Concurrent Signature Schemes 



19 



example, when the two signers are well known to be honest, any third party 
would trust that the signers will not deviate from the prescribed protocol. Hence, 
any third party would believe that the signatures are valid and these signatures 
can be identified even before the keystone is released. This argument is justified 
as follows. 

Proposition 1. In the concrete scheme of [5], iff the two signers are well known 
to be honest , then any third party can identify who the real signers of the publicly 
available valid signatures, even before the keystone is released. 

Proof We note that hi and / are indistinguishable to the verifier. Assume 
that A and B have followed the protocol and constructed two signatures a a = 
( sa , hA-> f ) and gb — (s#, hs, /)• For a third party, to verify ga, he will use y 
while to verify gb, he will need to use y A , since otherwise, the verification will 
not return accept. Hence, we have removed one possibility from the ambiguity 
listed in Section 3. In other words, in the concrete scheme of [5], after the two 
signatures are released, then there are only three possibilities (c.f. the type of 
ambiguities introduced in Section 3), namely (i) Both signatures (0-1,02) were 
generated by A. (ii) Both signatures (<71,02) were generated by B. (iii) <71 was 
generated by A and <72 was generated by B. We note that the fourth possibility 
will not happen since it will not satisfy the verification algorithm, otherwise (if 
we assume A was the initial signer). This means that his success probability of 
guessing the correct signers has been increased to 1/3. Moreover, when the two 
signers are known to be honest, then the first two possibilities can be disregarded 
(since the two signers will always follow the protocol), and hence, the third party 
can identify who the signers are before the keystone is released. □ 

4 Perfect Concurrent Signature Schemes 

In this section, firstly we define the notion of perfect concurrent signatures for- 
mally. 

Definition 5. Concurrent signature scheme CS are called as perfect concurrent 
signature schemes (PCS) iff by observing the two valid signatures, any third party 
cannot identify who has issued the signatures, even the signers are well known 
to be honest and will not deviate the prescribed protocol. We assume the signers 
are called A and B, resp. 

We define a third party A, who is assumed to be a probabilistic Turing machine, 
whose running time is bounded by t which is polynomial in a security parameter 
t. A has successfully observed and obtained two signatures (<71,02) produced by 
a CS scheme. Even the two signers are well known to be honest, the probability 
of A ’s success in identifying the signers before the keystone is released is defined 
by 

Succ^ cs (0-i, 0^2) = 4 • Pr[(ii = 0-i A &j = 0^2] — 1 
where i,j£ { A , B}. 




20 



Willy Susilo, Yi Mu, and Fangguo Zhang 



To achieve perfect concurrent signature schemes, the two signatures must 
not have an explicit relationship which is observable by any third party (eg. 
the construction in [5] which is observable since the value of / is used twice in 
the scheme). The relationship between the two signatures must be known to 
the two signers only. Hence, any third party cannot differentiate the real signer 
of a signature, and hence, we achieve the requirement of a perfect concurrent 
signature scheme. 

5 A Perfect Concurrent Signature Scheme 
from Schnorr’s Signature Schemes 

As defined in [5], firstly we define the four algorithms SETUP, ASIGN, AVERIFY 
and VERIFY as follows. 

— SETUP. The SETUP algorithm selects two large prime numbers p and g, 
and a generator g G Z* of order q. It also generates a cryptographic hash 
function Hi : {0,1}* — > Z q . The SETUP algorithm also sets M = JC = Z*. 
Upon completion of this setup, A selects her secret key xa E Z * and sets her 
public key to be yA = g XA (mod p), and B also sets his secret and public 
keys as (x b ? yB = g XB (mod p)). 

— ASIGN. The ASIGN algorithm accepts the following parameters (yi,yj,Xi,s % 
m), where yi , yj are the public keys, yi = g Xi (mod p), yi yj , Xi G Z* is 
the secret key corresponding to s G T and m G A4 is the message. The 
algorithm will perform the following. 

1. Select a random a G Z q . 

2. Compute c = Hi(m, g a yj (mod p)). 

3. Compute s = (a — c)x (mod q ). 

4. Output a = (c, s, s). 

We note that one can verify that c = Hi(m, g c yfyj (mod p)) holds with 
equality. 

— AVERIFY. The AVERIFY algorithm accepts the following parameters (a, 

yj , m) , where a = (c, s, s), yj are the public keys and the message m G M. 
The algorithm verifies whether 

? ~ 

c = Hi(m, g c y-Vj (mod p)) 

holds with equality, and if so, it outputs accept. Otherwise, it outputs 
reject. 

— VERIFY. The algorithm accepts (fc, 5), where k ^ JC is the keystone and 
S = (m,(j,yi,yj), where a = (c,s,s). The algorithm checks whether the 
keystone k is valid by executing a keystone verification algorithm. If the 
output of this verification is reject, then output reject. Otherwise, it runs 
AVERIFY(S'). The output of VERIFY is just that of AVERIFY. 




Perfect Concurrent Signature Schemes 



21 



A Concrete PCS Protocol 

Without losing generality, we assume that A is the initial signer and B is the 
matching signer. Before starting the protocol, the SETUP algorithm is executed, 
and the public keys i/a and ys are published. 

1. A performs the following. 

— Selects a message tua G Ad. 

— Picks a random keystone k G JC and sets 82 = H\(k). 

— Runs (j a < — ASIGN(2/^, 2/^, 82, m^), to obtain a a = (c, s, 82), and sets 

81 <— 8. 

— Selects a random t G 7 L q and compute t = y\ (mod p). 

— Publishes (ra^a , , t) , where g a = (c, 81,82), and sends this value to B. 

2 . Upon receiving A ’ s ambiguous signature a a, B verifies the signature by 

v 

testing whether AVERIFY(cr^, yA, yB, m) = accept. If the equation does not 
hold, then B aborts. Otherwise, B performs the following. (We note that 
at this stage, B knows that 82 is related to the keystone used by A, but no 
third party knows about this fact). 

— Selects a message G M. 

— Computes r <— t XB (mod p). 

— Sets s[ <— 82 + r (mod q). 

— Runs a b ASIGN(p#, yA, xb, 8^, m^), to obtain gb = (c 7 , 81,82). 

— Sets 82 <— 82. 

— Publishes (m^,^), where gb — (c 7 , s' lJ s' 2 ) and sends this value to A. 

3 . Upon receiving B signature (racers), where gb = (c 7 , 8^,82), A performs 
the following. 

v 

— Verifies whether AVERIFY(ob, yA, ys, tub) = accept holds with equal- 
ity. Otherwise, A aborts. 

— Computes r = s[ — 82 (mod q). 

— Verifies whether r = y^ At (mod p) holds. If it does not hold, then A 
aborts. 

- Generates r <— SPKEQ( 7 : r = y 1 ^ At = g p 1 A yA = p 7 )(&)- 

— Releases the keystone k = {fc,r, £,T} publicly, and both signatures are 
binding concurrently. 

Remarks: 

1 . We note that if B is the initial signer, then he will select 81 = H\{k) as 
his keystone, instead of 82. Then, when H(as the matching signer) receives 
BA signature, she will set r' t XA (mod p), where t = y l B (mod p) for a 
random t G Z g , and compute s ' 2 ^ s\ + r' (mod q). 

2. We note that r is always set to r = s[ — 82 (mod g), and r' — s' 2 — 81 
(mod q). 

3 . By observing (c, 81, 82), (c 7 , 8 7 l5 82), any third party cannot determine who is 
the initial signer between the two parties. 

4 . The probability whether r is used in the second step of the protocol instead 
of r 7 is uniform, i.e. 1 / 2 . Hence, by observing the published information, 
any third party cannot figure out whether r or r 7 that has been used in the 
protocol. 




22 



Willy Susilo, Yi Mu, and Fangguo Zhang 



5 . We note that k = {&,r, T} will ensure that both signatures are binding to 
their signers concurrently. It will also ensure that any party cannot cheat by 
producing two signatures by himself/herself and claim that the other party 
has generate one of the signatures. 

VERIFY Algorithm 

We note that after n is released publicly, both signatures a a and gb are binding 
concurrently. To verify these signatures, anyone can perform the following. 

? 

1 . Run the keystone verification algorithm : Test whether H\{k) = 52 (or 

? 

Hi (k) = si if B is the initial signer) holds with equality. Otherwise, output 
rej ect. 

2 . Obtain a a = (c, si, S2) and gb = (c', s r 2 ). 

3 . Compute r = s[ — S2 (mod q) and r' = s 2 — s 1 (mod q). 

4 . Test whether r is valid. Otherwise, output reject. 

? 

5 . Verify whether AVERIFY(cr^, yA, Vb, ttia) = accept holds. Otherwise, out- 
put reject. 

7 

6 . Verify whether AVERIFY(ob, yA, Pb, ttib) = accept holds. Otherwise, out- 
put reject. 

7. Output accept. 



5.1 Security Analysis 

In this section, we provide several theorems and lemmas to show the correctness 
and soundness of our scheme. 

Theorem 1. Before n is released , both signatures are ambiguous. It provides 
fairness to both parties. 

Proof. The ambiguity of A’s and IT s signatures are clear since from any third 
party’s point of view, it is either A or B who has generated such signatures. 
Both parties could have generated a pair of valid signatures by himself/herself. 
Let us assume that A would like to generate a pair of CS signature by herself. 
She will perform the following 

— Select two random numbers 52, s' 2 GZ g . 

— Run g\ <— ASIGN(?/a, yB,%A, ^2, mi), to obtain g\ = (c, si, 52). 

— Run (J2 <— ASIGN(2 m, yB,XA, s' 2 , m2), to obtain 02 = (c', s ' l5 s^)- 

— The two signatures ((71,(72) is a valid CS signature pair, which is indistin- 
guishable from any third party’s point of view. 

We note that t is truly random from any third party’s point of view. □ 

Lemma 1. When the output of the VERIFY algorithm is accept, then any third 
party can determine who issued the signatures. 




Perfect Concurrent Signature Schemes 



23 



Proof. Without losing generality, we assume A is the initial signer and B is the 
matching signer. To verify that a signature was generated by A , any third party 
performs the following steps. 

7 

— Verify whether H\(k) = 82. If if does not hold, then output reject. 

7 

— Verify whether c = g c y s ly s ^ (mod p)) holds. If it does not hold, 

then output reject. 

— Output accept. 

We note that after verifying both equations above, any third party is assured 
that the signature was indeed generated by A because he knows that the value 
of S2 was already set when c was computed. Hence, this shows that the only way 
to compute the correct 8i is by knowing the secret key xa- 

To verify that a signature was generated by B, any third party needs to 
perform similar steps as above. 

— Verify whether r is valid to ensure that r is valid. Otherwise, output re j ect. 

7 

— Verify whether r + 82 = s[ (mod q) holds. Otherwise, output reject. 

7 

— Verify whether H\(k) = S2 holds. Otherwise, output reject. 

— Verify whether c! = ^(m^, g c y^y^ (mod p)) holds. Otherwise, output 
rej ect. 

— Output accept. 

We note that after verifying the above equations, any third party is sure that 
the signature was indeed generated by B because the value s[ was already set 
when c' was computed. This shows that the only way to compute the correct s' 2 
that will satisfy the above equation is by knowing the secret key xb- □ 

Theorem 2. Both signatures are binding after n is released. 

Proof. After n is released, any third party can verify the authenticity of (m^, (c, 

7 

81,82)) and (m^, (c', 8^, 82)) by testing whether AVERIFY(cr, yA, ys, ttia) = 
accept, for a G {(c, 81,82), (c 7 , s[, 82)}. As shown in Lemma 1, any third party 
will be sure with the identity of the signature issuer. n 

Theorem 3 . Our scheme is a perfect concurrent signature scheme. 

Theorem 4 . Our perfect concurrent signature scheme is existentially unforge- 
able under a chosen message attack in the random oracle model, assuming the 
hardness of the discrete logarithm problem. 

Proof (sketch). The proof is similar to the proof of unforgeability of the Schnorr 
signature scheme in [6] and the concurrent signatures in [5]. We incorporate 
the forking lemma [7, 6] to provide the proof. We use the notion of existential 
unforgeability against a chosen message attack from [5] . We omit this proof due 
to space limitation and refer the reader to the full version of this paper for a 
more complex account. □ 




24 



Willy Susilo, Yi Mu, and Fangguo Zhang 



6 A Perfect Concurrent Signature Scheme 
from Bilinear Pairing 

In this section, we provide a perfect concurrent signature scheme from bilinear 
pairing. This scheme is essentially the same as our first scheme. However, as 
we shall show in this section, our second scheme is more efficient than our first 
scheme. Firstly, we define the four algorithms SETUP, ASIGN, AVERIFY and 
VERIFY as follows. 

— SETUP. The SETUP algorithm selects a random number s £ Z* and sets 
Ppub = sP. It selects two cryptographic hash functions Hq : {0, 1}* — ► 
Gi and Hi : {0, 1}* — ^ 7L q . It publishes system parameters params = 
{Gi, G 2 , e, q, P, Ppub, Ho, Hi}, and keeps s as the master-key , which is se- 
cret. The algorithm also sets Ad = /C = T sZ g . Without losing generality, 
suppose A is the initial signer and B is the matching signer. A selects her 
secret key sa £ Z*, and B selects his secret key sb £ Z*. M’s public key is 
P V ub A = s A P, P’ s public key is P pu b B = s B P. 

— ASIGN. The ASIGN algorithm accepts the following parameters ( P pu b 1 , P pu b 2 , 
si,s,m), where s 1 is the secret key associated with the public key P pu b 1 , 
s £ T and ra £ Ad is the message. The algorithm will perform the following. 

• Select a random a £ 7L q . 

• Compute c 0 = H(P publ \\P pub2 \\e(aH 1 (m), P)e(sH 1 (m), P pub2 )). 

• Let ci = (a — Co)s^~ 1 (mod q). 

• Let c 2 s. 

• Return a = (co, ci, C 2 ) as the signature on m. 

— AVERIFY. The AVERIFY algorithm accepts (cr, P pu b 1 , Ppub 2 , m), where a = 
(co, ci, C 2 ). The algorithm verifies whether 

Co ^ H {Ppubi | \Ppub 2 I \ c(H 1 ( rn ) , P ) 0 e(ciH\ (m) , Ppubi ')c{c2H\ (m) , P P ub 2 )) 

holds with equality, and if so, it outputs accept. Otherwise, it outputs 
rej ect. 

— VERIFY. The algorithm accepts (k, S), where k £ JC is the keystone and S = 
(m, a, P pu b 1 , P pu b 2 ) , where a = (co, ci, C 2 ). The algorithm verifies whether k 
is valid. If the output of the verification is reject, then it outputs reject. 
Otherwise, it runs AVERIFY(S'). The output of VERIFY is the output of 

AVERIFY. 

A Concrete Perfect Concurrent Scheme from Bilinear Pairing 
Without losing generality, we assume that A is the initial signer and B is the 
matching signer. Firstly, they execute the SETUP algorithm to obtain P pu b A and 
PpubB • 

1. A performs the following. 

— Selects a message m A £ Ad, a random keystone k £ JC and computes 
C2=H 1 (k). 




Perfect Concurrent Signature Schemes 



25 



— Selects a random a G Z* and computes Z = aP. 

- Runs a A AS\GN(P pubA , P pubB , s A , c 2 , m A ) to obtain a A = (c 0 ,ci,c 2 ). 
— Publishes a A and Z, and sends this value to B. 

2. B receives A ’ s ambiguous signature a A , runs and verifies whether AVERIFY 

? 

(cr A , P pubA , P pubEn m A ) = accept holds with equality. If it does not hold, 
then B aborts the protocol. Otherwise, B performs the following. 

— Selects a message G Af. 

— Computes r = e(Z, P pubA ) SB . 

— Computes c[ C2 + r (mod <7). 

- Runs <jb <— AS\GN(P pubB ,P pubA ,s B ,c' 1 ,m B ) to obtain a B = (cq, 4, 4) 
and publishes this value. 

3. Receiving ITs ambiguous signature a B , A computes r = e(P pubB , Z) SA , runs 

? 

and verifies whether AVERIFY(<tb, P pu b A 5 Ppub B 5 m s) = accept holds with 
equality. If it does not hold, then A aborts the protocol. Otherwise, A releases 
the keystone k and a, and both signatures are binding concurrently. 



6.1 Security Analysis 

We note that this scheme has the same features to the scheme presented in 
section 5. 

Theorem 5. Before k and a are released , both signatures are ambiguous. 

Proof (sketch). It can be easily seen that any party can always run ASIGN algo- 
rithm twice, and the resulting signatures will be indistinguishable from a pair of 
signatures that are generated by the two parties. □ 

Theorem 6. After k and a are released , both signatures are binding concur- 
rently. 

? 

Proof (sketch). After k is released, then the validity of c 2 = Hi(k) (in the case 

where A is the initial signer, or c\ = H\{k) in the case where B is the initial 
signer) can be verified. Having verified this value, the initial signer’s signature 
will be binding. Then, from the knowledge of a, any third party can obtain 
r = e(P pubA , P pubB ) a to verify the authenticity of the second signature. This 
way, both signatures will be binding concurrently. □ 

Theorem 7. Our second scheme is a perfect concurrent signature. 

Proof. Although both parties are known to be honest, the signatures are ambigu- 
ous to any third party. The relation between the two signatures are not clear 
until k and a are released. □ 

Theorem 8. If a valid pair of concurrent signature can be generated without the 
knowledge of any valid signer’s secret key , then the BDH problem can be solved 
in a polynomial time. 




26 



Willy Susilo, Yi Mu, and Fangguo Zhang 



Proof. We assume there exists a polynomial algorithm A that can produce a 
valid concurrent signature without any knowledge of the signer’s secret key. 
That means, the algorithm A accepts (P pu b A i Ppub B i m A,rnB, Z) together with 
params , to produce (co,ci,C2) and Without losing generality, we as- 

sume the initial signer is A, and hence, r = c[— c 2 (mod q). Now, we construct 
an algorithm A that will use A to solve the BDH problem as follows. 

A’s objective is to solve e(P, P^ ahc given aP, bP and cP. Firstly, the algo- 
rithm A sets PpubA = a P an d Ppub B = bP. It also sets Z = cP. It also se- 
lects two random messages G Z g . Then, it calls the algorithm A with 

( Ppub A > Ppub B j Z) to obtain a valid concurrent signature pair (co, C2) 

and Finally, it computes r = c[ — C2 (mod g), and outputs it 

as the answer of the BDH problem. We note that r = c[ — C2 (mod q ) = 
e{P P ub A i Ppub B ) c = e(P,P) abc . The success probability of this algorithm is the 
same as the success probability of algorithm A. Hence, we obtain the contradic- 
tion. □ 

Corollary 1. Our second scheme is more efficient compared to our first scheme. 

In our second scheme, releasing k and a are sufficient to ensure that both signa- 
tures are binding concurrently. This is due to the use of bilinear pairing opera- 
tions that enable us to obtain r without releasing further information. In our first 
scheme, we need to incorporate P to ensure the authenticity of the published r. 

7 Conclusion 

We extended the notion of concurrent signature schemes to perfect concurrent 
signature schemes. We provided a formal definition of perfect concurrent sig- 
nature schemes, together with two concrete constructions based on Schnorr’s 
signature schemes and bilinear pairing. 



References 

1. M. Abe, M. Ohkubo, and K. Suzuki. 1-out-of-n Signatures from a Variety of Keys. 
Advances in Cryptology - Asiacrypt 2002, LNCS 2501 , pages 415 - 432, 2002. 

2. N. Asokan, M. Schunter, and M. Waidner. Optimistic protocols for fair exchange. 
In Proc. 4 th ACM Conf on Comp and Comm Security , pages 8-17, 1997. 

3. J. Camenisch. Efficient and Generalized Group Signatures. In Advances in Cryp- 
tology - Eurocrypt ’97, LNCS 1233 , pages 465 - 479, 1997. 

4. J. Camenisch. Group Signature Schemes and Payment Systems based on the 
Discrete Logarithm Problem. PhD Thesis, ETH Zurich , 1998. 

5. L. Chen, C. Kudla, and K. G. Paterson. Concurrent signatures. In Advances in 
Cryptology - Eurocrypt 2004, LNCS 3027 , pages 287-305, 2004. 

6. D. Pointcheval and J. Stern. Security Proofs for Signature Schemes. Advanced in 
Cryptology - Eurocrypt 1996, LNCS 1070 , pages 387 - 398, 1996. 

7. D. Pointcheval and J. Stern. Security arguments for digital signatures and blind 
signatures. Journal of Cryptology , 13(3):361-396, 2000. 

8. R. L. Rivest, A. Shamir, and Y. Tauman. How to Leak a Secret. Advances in 
Cryptology - Asiacrypt 2001, LNCS 2248 , pages 552 - 565, 2001. 




New Identity-Based Ring Signature Schemes* 



Javier Herranz and German Saez 



Dept. Matematica Aplicada IV, Universitat Politecnica de Catalunya 
C. Jordi Girona, 1-3, Modul C3, Campus Nord, 08034-Barcelona, Spain 
{jherranz,german}@mat .upc . es 



Abstract. Identity-based (ID-based) cryptosystems avoid the necessity 
of certificates to authenticate public keys in a digital communications 
system. This is desirable, specially for these applications which involve 
a large number of public keys in each execution. For example, any com- 
putation and verification of a ring signature, where a user anonymously 
signs a message on behalf of a set of users including himself, requires to 
authenticate the public keys of all the members of the set. 

We use bilinear pairings to design a new ID-based ring signature scheme. 
We give bounds on the concrete security of our scheme in the random ora- 
cle model, under the assumption that the Computational Diffie- Heilman 
problem is hard to solve. Then we extend this scheme to scenarios where 
a subset of users anonymously sign on behalf of some access structure of 
different subsets. 



1 Introduction 

In a ring signature scheme , a user forms a set (or ring) of users which contains 
himself, and anonymously computes a signature on behalf of the whole ring. 
Any verifier must be convinced that the signature has been computed by some 
member of this ring, but he has no information about who is the actual author 
of the signature. 

In real applications, however, the public keys of the users are authenticated 
via a Public Key Infrastructure (PKI) based on certificates. Therefore, the signer 
must first verify that the public keys of the ring correspond to the identities of 
the users that he wants to include on the ring. Later, the verifier must first check 
the validity of the certificates of all the public keys of the members of the ring. 

This necessary management of digital certificates substantially increases the 
cost of both generation and verification of a ring signature. Thus, any possible 
alternative which avoids the necessity of digital certificates is welcome in order 
to design efficient ring signature schemes in particular, and efficient public key 
cryptosystems in general. 

Shamir introduced in 1984 the concept of identity-based (from now on, ID- 
based) cryptography [12]. The idea is that the public key of a user can be publicly 
computed from his identity (for example, from a complete name, an e-mail or 

* This work was partially supported by Spanish Ministerio de Ciencia y Tecnologia 
under project TIC 2003-00866. 



J. Lopez, S. Qing, and E. Okamoto (Eds.): ICICS 2004, LNCS 3269, pp. 27-39, 2004. 
(c) Springer- Verlag Berlin Heidelberg 2004 




28 



Javier Herranz and German Saez 



an IP address). Then, the secret key is derived from the public key. In this way, 
digital certificates are not needed, because anyone can easily verify that some 
public key PKjj corresponds in fact to user U. 

The process that generates secret keys from public keys must be executed 
by an external entity, known as the master. Thus, the master knows the secret 
keys of all the users of the system. A way to relax this negative point could be 
to consider a set of master entities which share the secret information. 

In this work we present a provably secure ID-based ring signature scheme, 
based on bilinear pairings. The concept of ring signature schemes was introduced 
in [ 11 ]. Other ring signature schemes with different properties have been pro- 
posed and proven secure in [3, 1, 7, 5]. Finally, the only ID-based ring signature 
scheme proposed until now (as far as we know) is the one by Zhang and Kim 
[14]. In Section 3 we review the properties that a ring signature scheme must 
satisfy, and we recall some results about the security of a particular family of 
ring signature schemes. 

We propose our new ID-based ring signature scheme in Section 4. The main 
difference with respect to the scheme of Zhang and Kim is that computations 
can be parallelized, whereas in their scheme they must be done in an iterative 
(and so, more slow) way. The new scheme belongs to the generic family of ring 
signature schemes, introduced in [7]; therefore, we can use the security results 
given in that work for this family of schemes. In this way, we provide a formal 
proof of its existential unforgeability under chosen message attacks in the random 
oracle model, assuming that the Computational Diffie- Heilman problem is hard 
to solve, in Section 5. The mathematical tools that we need for the design and 
the analysis of our scheme are presented in Section 2 . 

We also propose, in Section 6 , an ID-based scheme for scenarios where all 
the members of some subset collaborate to compute a ring signature. These 
members choose an ad-hoc access structure containing some subsets of users 
(among them, the actual subset of signers). The recipient of the signature is 
convinced that the message has been signed by all the members of some subset, 
but has no information about which subset of the access structure is the actual 
signer. 

2 Bilinear Pairings 

Let Gi be an additive group of prime order g, generated by some element P. Let 
G 2 be a multiplicative group with the same order q. 

A bilinear pairing is a map e : Gi x Gi — > G 2 with the following three 
properties: 

1. It is bilinear, which means that given elements Ai,A 2 ,A 3 E Gi, we have 
that e(Ai + A 2 , A 3 ) = e(Ai, A 3 ) • e(A 2 , A 3 ) and e(Ai, A 2 + A 3 ) = e(Ai, A 2 ) • 
e(Ai,As). In particular, for all a, b E Z g , we have e(aP,bP) = e(P, P) ab = 
e(P,abP) = e(abP,P). 

2. The map e can be efficiently computed for any possible input pair. 

3. The map e is non-degenerate: there exist elements Ai,A 2 E Gi such that 

e(Ai, A 2 ) ^ 1g 2 - 




New Identity-Based Ring Signature Schemes 



29 



Combining properties 1 and 3, it is easy to see that e(P, P ) ^ 1q 2 and that 
the equality e(Ai,P) = e(A. 2 ,P) implies that A\ = A 2 . 

The typical way of obtaining such pairings is by deriving them from the Weil 
or the Tate pairing on an elliptic curve over a finite field. 

Let Hi : {0, 1}* — > Gi — {0} be a hash function. The most usual way to 
design an ID-based cryptosystem is the following. The master has a secret key 
xGZ*, and he publishes the value Y = xP G Gi. 

Every user U of the ID-based system has an identifier I Du G {0, 1}*, that 
can be an IP address, a telephone number, an e-mail address, etc. The public key 
of U is then defined to be PKu = Hi{IDjj) G Gi — {0}. In this way, everybody 
can verify the authenticity of a public key without the necessity of certificates. 

The user U needs to contact the master to obtain his secret key SKu = 
xPKu G Gi. The drawback of this approach, as mentioned in the Introduction, 
is that the master must be completely trusted, because he knows the secret keys 
of all the users. 

2.1 The Computational Diffie-Hellman Problem 

We consider the following well-known problem in the group Gi of prime order 
g, generated by P: 

Definition 1. Given the elements P, aP and bP, for some random values a,b G 
Z* ; the Computational Diffie-Hellman problem consists of computing the element 
abP. 

The Computational Diffie-Hellman Assumption asserts that, if the order of 
Gi is q > 2 k , then any polynomial time algorithm that solves the Computational 
Diffie-Hellman problem has a success probability p^ which is negligible in the 
security parameter k. In other words, for all polynomial /(), there exists an 
integer ko such that pk < , for all k > ko . 

The security of the ID-based ring signature scheme that we propose in this 
work is based on the Computational Diffie-Hellman Assumption. 

3 Ring Signatures 

The idea of a ring signature is the following: a user wants to compute a signature 
on a message, on behalf of a set (or ring) of users which includes himself. He 
wants the verifier of the signature to be convinced that the signer of the message 
is in effect some of the members of this ring. But he wants to remain completely 
anonymous. That is, nobody will know which member of the ring is the actual 
author of the signature. 

These two informal requirements are ensured, if the scheme satisfies the fol- 
lowing properties: 

1. Correctness: if a ring signature is generated by properly following the sign- 
ing protocol, then the verification protocol always accepts this signature as 
valid. 




30 



Javier Herranz and German Saez 



2. Anonymity: any verifier should not have probability greater than 1/n to 
guess the identity of the real signer who has computed a ring signature on 
behalf of a ring of n members. 

3. Unforgeability: among all the proposed definitions of unforgeability (see 
[6]), we consider the strongest one: any attacker must have negligible prob- 
ability of success in forging a new valid ring signature for some message on 
behalf of some ring that does not contain himself, even if he knows valid ring 
signatures for messages and rings that he can adaptively choose. 

3.1 Forking Lemmas for Generic Ring Signature Schemes 

Herranz and Saez define in [7] a class of ring signature schemes that they call 
generic. Consider a security parameter k , a hash function which outputs k- bit 
long elements, and a ring U = {Ui, . . . ,U n } of n members. Given a message m, a 
generic ring signature scheme produces a tuple (U, m,Ri, . . . , R n , hi, . . . , h n , a). 

The values R \ , . . . , R n are randomly chosen from some large set in such a 
way that Ri Rj for all i j; hi is the hash value of {U, m, Ri), for 1 < i < n; 
and the value a is fully determined by R\, . . . , R r , hi, . . . , h n and the message 
m. 

Another required condition is that no Ri can appear with probability greater 
than 2/2 k , where k is the security parameter. 

Some results concerning the security of these generic ring signature schemes 
are given in [7] , which are the natural extension of the forking lemmas invented by 
Pointcheval and Stern in [10], for the case of standard signatures. These results 
are valid in the random oracle model [2], where hash functions are assumed to 
behave as totally random functions. We state here a slight modification of one of 
these results for generic ring signature schemes. For integers Q and n such that 
Q > n > 1, we denote as Vg ?n the number of n-permutations of Q elements; 
that is, Vq iU = Q(Q - 1) • . . . • (Q - n + 1). 



Theorem 1. ( The Ring Forking Lemma) Consider a generic ring signature 
scheme with security parameter k. Let A be a probabilistic polynomial time Tur- 
ing machine which receives as input the digital identifiers of users in a set U* 
and other public data ; the machine A can ask Q queries to the random oracle. 

Assume that A produces, within time bound T and with non-negligible proba- 
bility of success e > 7 ^ ,n , a valid ring signature (U, m, R \, . . . , R n , hi , . . . , h n , 
a) for some ring U <ZU* of n users. 

Then, in time T' < 2 T and with probability s' > — ; we obtain two valid 

ring signatures (U, m, R \, . . . , R n , hi , ... , h n , a) and (U, m, R \, . . . , R n , h[, ... , 
h ' n , a') such that hj h’-, for some j G {1, ... ,n} and hi = h\ for all i = 1, . . . ,n 
such that i j. 

In a PKI scenario, the digital identifier of a user is his public key, which can be 
verified by means of the corresponding digital certificate. In ID-based scenarios, 
however, the digital identifier of a user is simply an e-mail or IP address; the 
public key could be computed directly from this identifier. 




New Identity-Based Ring Signature Schemes 



31 



In next section, we present an ID-based ring signature scheme which is 
generic. Therefore, we could use the Ring Forking Lemma to show that this new 
scheme is secure in the random oracle model, assuming that the Computational 
Diffie- Heilman problem is hard to solve. 

In our new generic ring scheme, the hash function such that hi is the hash 
value of (U,m,Ri) will be called . This will imply that some notation used in 
this section will change later; for example, Vq jTI will become Vg 2;n . 

4 A New ID-Based Ring Signature Scheme 

In this section we present a new ID-based ring signature scheme. As the one 
proposed by Zhang and Kim in [14], our scheme is based on bilinear pairings. 
In their scheme, the generation and verification of a ring signature must be 
performed in an iterative way: the signer and the verifier must compute a pairing 
for each member Ui of the ring, and the value corresponding to Ui is necessary to 
compute the value of In our new scheme the computations in the generation 
and verification of a signature can be performed in parallel, more efficiently than 
in [14]. 

Setup : let Gi be an additive group of prime order g, generated by some element 
P. Let G 2 be a multiplicative group with the same order q. We need q > 2 k +n, 
where k is the security parameter of the scheme and h is the maximum possible 
number of users in a ring. Let e : Gi x Gi -> G 2 be a pairing as defined in 
Section 2. Let H\ : {0, 1}* — ► G^ and H 2 : {0, 1}* — > Z q be two hash functions 
(in the proof of security, we will assume that they behave as random oracles). 

The master entity chooses at random his secret key x G Z* and publishes the 
value Y = xP. 

Secret key extraction: a user [/, with identity I Du , has public key PKu = 
Hi(IDu)- When he requests the master for his matching secret key, he obtains 
the value SKjj = xPKu . 

Ring signature generation: consider a ring U = {J7i, . . . , U n } of users; for sim- 
plicity we denote PK{ = PKu { = Hi^IDuJ- If some of these users U Sl where 
s G {1, . . . , n}, wants to anonymously sign a message m on behalf of the ring W, 
he acts as follows: 

1. For alii E {1, . . . , n}, i ^ s, choose A{ uniformly and at random in G*, pair- 

wise different (for example, by choosing a{ G Z* at random and considering 
Ai = aiP). Compute Ri = e(A,P) G G 2 and h% = for all 

i jtz s. 

2. Choose a random A G Gi. 

3. Compute R s = e(A, P ) • e(—Y, hiPKi). If R s = 1q 2 or R s = Ri for some 

i^s 

i ^ 8, then go to step 2. 

4. Compute h s = H 2 (pl,m, R s ). 




32 



Javier Herranz and German Saez 



5. Compute a = h s SK s + A + ^ 

i^s 

6. Define the signature of the message m made by the ring U = {Ui, • • • , U n } 
to be (U,m,R ly . . . ,R n ,h!, . . ,,h n ,a). 

In fact, the values hi can be publicly computed from the ring U , the message m 
and the values Ri. We include them in the signature for clarity in the treatment 
of the security of the scheme. 

Verification: the validity of the signature is verified by the recipient of the mes- 
sage by checking that hi = H 2 (U, m, Ri) and that 

n 

e(a, P)=Rf...-R n -e(Y,J2 hiPKi) . 

i = 1 

It is easy to verify that this ring signature scheme is generic, as defined in 
Section 3.1. 



4.1 Correctness and Unconditional Anonymity 

The property of correctness is satisfied. In effect, if the ring signature has been 
correctly generated, then: 

n n 

Ri ■...■R n -e(Y,Y, hiPKi) = e(A + '£A i ,P).e(-Y,J2h i PK i ).e(Y,J2 hiPKi) = 

i= 1 i^s i^s i= 1 

= e(A + ^ P) ■ e(Y, h s PK s ) = e(A + J2 A it P) ■ e(P, h s xPK s ) = 

i^s i^s 

= e{A + Ai + hsSK s , P) = e(a, P) . 

i^s 

With respect to the anonymity of the scheme, we can argue as follows: let 
Sig = (W, m, i?i, . . . , R n , hi, . . . , h n , a) be a valid ring signature of a message m 
on behalf of a ring U of n members. Let U s be a member of this ring. We can 
find the probability that U s computes exactly the ring signature Sig, when he 
produces a ring signature of message m on behalf of the ring IA, by following the 
proposed scheme. 

The probability that U s computes all the values Ri 1g 2 of Sig, pairwise 
different for 1 < i < n, i ^ s, is * • • • * g _^ +1 • Then, the probability that 

U s chooses the only value A G Gi that leads to the value R s of Sig, among all 
possible values for R s different to 1 g 2 and different to all Ri with i ^ s, is 

Summing up, the probability that U s generates exactly the ring signature 
Siq is 

_2 i i _ i 

g-l q- 2 q-n + 1 q-n V q -i , n 

and this probability does not depend on the user U s , so it is the same for the 
n members of the ring. This fact proves the unconditional anonymity of the 
scheme. 




New Identity-Based Ring Signature Schemes 



33 



5 Unforgeability of the Scheme 

We must consider the most powerful attacks against an ID-based ring signature 
scheme, which are adaptively chosen message attacks. Such an attacker A is given 
as input a set U * of users, and is allowed to: make Q i queries to the random 
oracle Hi and Q 2 queries to the random oracle H 2 \ ask for the secret key of Q e 
identities of its choice (extracting oracle); ask Q s times for valid ring signatures, 
on behalf of rings of its choice, of messages of its choice (signing oracle). 

The total number of queries must be polynomial in the security parameter. 
We say that such an attacker A is (T, e, Qi, Q 2 , Qe, Q s )-successful if it outputs, 
in polynomial time T and with non- negligible probability 5, a valid ring signature 
(1 U , m, i?i, . . . , P n , hi , . . . , h n , cr) for some message m and some ring of users U = 
{Pi, . . . , U n } C W such that: the attacker has not asked for the secret key of 
any of the members of the ring P; the attacker has not asked for a valid ring 
signature, on behalf of the ring U . , of message m. 

We prove that the existence of such a successful attacker against our scheme 
could be used to solve the Computational Diffie- Heilman problem in Gi. 

Theorem 2. Let k be a security parameter, and let the order of Gi be q > 2 k . 
Let A be a (T,s,Qi,Q 2 ,Q e ,Q s )-successful attacker against our ID-based ring 
signature scheme, such that the success probability e is non-negligible in k. 

We denote by h the maximum possible cardinality of the rings in the consid- 
ered system. Let fi be any value such that (l — j^) 1 ^ 6 < fi < 1. 

Then the Computational Diffie- Heilman problem in Gi can be solved within 

(-t \2n+l 

time V < 2T + 2Qi + 2 Q 2 + 2 hQ s and with probability s' > 2 ooy Q £ 2 • 

Proof. Let (P, aP, bP ) be the input of an instance of the Computational Diffie- 
Hellman problem in Gi. Here P is a generator of Gi, with prime order q , and 
the elements a, b are taken uniformly at random in Z*. We will use the attacker 
A against the ring signature scheme to solve this instance of the problem. 

By assumption, the attacker A has non-negligible probability 6 of breaking 

the ring signature scheme. We can assume that 5 > 12 
wise, 5 would be negligible in the security parameter k). 

We are going to construct a probabilistic polynomial time Turing machine 
B to which we will apply the result of the Ring Forking Lemma (Theorem 1). 
This machine B is given as input the digital identifiers IDi of users Vi in a set 
U* . It will be allowed to make Q 2 queries to the random oracle for H 2 , and it 
will use the attacker A as a sub-routine; therefore, B must perfectly simulate 
the environment of the attacker A. 

The machine B receives the public data (P, aP, bP). The public key of the 
master entity is defined to be Y = aP. Then B runs the attacker A against the 
ID-based ring signature scheme, answering to all the queries that A makes. The 
public key Y = aP is sent to the attacker A. 

Without loss of generality, we can assume that A asks the random oracle Hi 
for the value Hi(ID) before asking for the secret key of ID. 




34 



Javier Herranz and German Saez 



The machine B constructs a table TABh 1 to simulate the random oracle 
Hi. Every time an identity IDi is asked by A to the oracle Hi, the machine B 
acts as follows: first B checks if this input is already in the table; if this is the 
case, then B sends to A the corresponding relation Hi(IDi) = PKi. Otherwise, 
with probability /i, the machine B chooses a different Xi G Z* at random and 
define PKi = XiP and SKi = XiY. The values IDi , PKi , Xi, SKi and q = 0 are 
stored in a new entry of the table TABh i: and the relation Hi(IDi) = PKi is 
sent to A. On the other hand, with probability 1 — /jl, the machine B chooses 
a different cq G Z* at random and define PKi — (a.i)bP and SKi =_L. The 
values IDi, PKi, ai, SKi and q = 1 are stored in a new entry of TAB h 1 , and 
the relation Hi(IDi) = PKi is sent to A. The condition PKi ^ PKj must be 
satisfied for all the different entries i ^ j of the table; if this is not the case, the 
process is repeated for one of these users. 

Since we are assuming that Hi behaves as a random function, and the values 
PKi are all randomly chosen, this step is consistent. 

Later, every time A asks for the secret key corresponding to an identity 
IDi, the machine B looks for IDi in the table TABh 1 • If Q = 0, then B sends 
SKi = XiY to A. If Ci = 1, the machine B cannot answer and halts. Note that 
the probability that B halts in this process is less than 1 — i±Q & < ^ . 

Every time A makes a query to the random oracle H 2 , B queries the same 
input to this random oracle H 2 (because it is allowed to do it), and sends the 
obtained answer to A. 

Finally, the attacker A can ask Q s times for a valid ring signature for a 
message m! and a ring IA' of n' < h members (for simplicity, we denote U f = 
{Ui, ... , U n >}). We assume that A has not asked for any of the secret keys of the 
ring U' (otherwise, A could obtain a valid ring signature by itself). To answer 
such a query, the machine B proceeds as follows: 

1. Choose at random an index s G {1, ... , n'}. 

2. For all i G {1 , ... ,n'}, i ^ s, choose A[ at random in G*, pairwise different. 
Compute R'i = e{A' i , P), for alii ^ s. 

3. For i ^ s, compute h\ = H 2 (U' , m' , R^) (by querying the random oracle H 2 ); 
we can assume that A will later ask the random oracle H 2 with these inputs, 
to verify the correctness of the signature. 

4. Choose at random h' s G Z g . 

5. Choose at random a' G Gi. 

n 

6. Compute R' s = e(a' - £ A\, P) • e(-Y, ]T h^PKi). If R’ s = l 6a or R' s = R' 

i^s i= 1 

for some i ^ s, then go to step 5. 

7. Now B “falsifies” the random oracle H 2 , by imposing the relation H 2 (U' , m' , 
R' s ) = h' s . Later, if A asks the random oracle H 2 for this input, then B will 
answer with h' s . Since h' s is a random value and we are in the random oracle 
model for H 2 , this relation seems consistent to A. 

8. Return the tuple (U f , ml , R[, . . . , R! n ,,h! x , . . . , h' n ,,a'). 

There is some risk of “collisions” throughout these signature simulations. 
Recall that, in the definition of generic ring signature schemes, we made the 




New Identity-Based Ring Signature Schemes 



35 



assumption that no Ri can appear with probability greater than 2/2 k in a ring 
signature. Two kinds of collisions can occur: 

— A tuple (U',m',R' s ) that B outputs, inside a simulated ring signature, has 
been asked before to the random oracle H 2 by A. In this case, it is quite 
unlikely that the previous answer of the random oracle H 2 coincides with 
the value h' s produced in the simulation of the signature. The probability of 
such a collision is, however, less than Q 2 • Q s • ^ < |. 

— The same tuple (U' ,m ' , R' s ) is output by B in two different simulated ring 
signatures. The probability of this collision is less than 

Altogether, the probability of collisions is less than s/3. Now we can compute 
the probability that B obtains a valid ring signature: 

sb = Pr [B obtains a valid ring signature] = 



Pr [B does not halt AND no-collisions in the simulations AND A succeeds] > 



> Pr L4 succeeds I B does not halt AND no-collisions in the simulations ] — 

(vj) 



— Pr [B halts OR collisions in the simulations] > 5 

(w,/) 




7e 
12 ' 



However, assuming that A provides B with a valid ring signature for a pair 
(m, IA\ where IA has n <n users, we need to be sure that B does not know any of 
the n secret keys in U (otherwise, B could have generated this forged signature 
by itself, and then it would not be a real forgery). The probability that this 
happens is (1 — fi) n > (1 — fi ) n . Therefore, with probability sb = (1 — yu) n > 
(1 — fi) n y§ > 7V //k' n , the machine B obtains a valid forged ring signature for a 
ring where he does not know any secret key. The execution time of the machine 
B is Tb < T + Qi + Q 2 + nQ s . 

Applying Theorem 1 to the machine P, we have that, by executing two times 

£ 2 

P, we will obtain in time T’ < 2 Tg and with probability s' > 66V ® two valid 
ring signatures (W, m, Ri, . . . , i? n , hi , . . . , h n , a) and (W, m, R\ , . . . , R n , h[ , . . . , 
h f n , cr') such that hj ^ hp for some j G {1, . . . , n} and hi = h[ for alH = 1, . . . , n 
such that i ^ j. Then we have that 



e(<7, P)=R 1 -...-R n - e(Y, h x PKi) ..... e(T, h n PK n ) 



e{p\ P) = Ri • . . . • R n • e(Y, h'.PK^ ..... e(T, h! n PK n ) 

Dividing these two equations, we obtain e(a — cr' , P) = e(Y , ( hj — h'-)PKj ) = 
e(aP, (hj — h'j)PKj). Now we look again to the table TABh 1 ; with probability 
1 — /i, we have that Cj = 1 and so PKj = (aj)bP. 

Then the relation becomes e(cr — a', P) = e(aP, (hj — h'j)ajbP) = e(abaj(hj — 
h'j)P , P). Since the pairing is non-degenerate, this implies that a— a' = abaj(hj — 




36 



Javier Herranz and German Saez 



hj)P. Therefore, we find a solution of the Computational Difhe-Hellman problem 
by computing 

abP = — 77, TJ\( cr ~ a ') ■ 

otj ( hj - h j ) 

The inverse is computed modulo g, and it always exists because ay E Z* and 
hj 7 ^ hj- 

Summing up, we have solved the Computational Difhe-Hellman problem with 
probability The total success probability 

- (1 - ,) e - > (1 - > (1 - ri ((1 7g/12)2 > «»■ 



66Vq 2 



66Hg 2 



200Hg 2 



And the total time needed to solve the problem has been T' < 2 T& < 2 T + 
2Qi + 2 Q 2 T 2 nQ s . 

□ 



This result gives bounds on the concrete security of our ID-based ring signa- 
ture scheme. Note that the reduction in the proof is not quite efficient; that is, 
the relation between both the success probabilities and the execution times of 
the signature forger and the algorithm which solves the Computational Diffie- 
Hellman problem is far to be tight, due to the presence of the value Vg 2; n. This 
is a consequence of the use of the Ring Forking Lemma, which implies that the 
security decreases exponentially in the size of the ring. Therefore, the security of 
the scheme is practical only for logarithmic-size rings (which is the case in some 
useful applications of ring signatures, as signatures with a designated verifier 
[11] or concurrent signatures [4]). 



6 ID-Based Ring Signatures from Anonymous Subsets 

We propose in this section an identity-based ring signature scheme for general 
ad-hoc access structures, which can be seen as an extension of the identity-based 
ring signature scheme proposed in Section 4. 

The idea is that all the members of some subset U s of users collaborate in 
order to compute a signature for some message. These users choose an access 
structure U = {U \, . . . ,%} formed by subsets of users, which must contain the 
subset U s . The recipient of the signature will be convinced that all the members 
of some of the subsets of U have cooperated to compute the signature, but he 
will not have any information about which is the subset that has actually signed. 

This kind of ring signature schemes was introduced by Bresson et al. in 
[3], where they proposed a scheme for the case of threshold access structures. 
Different schemes for the threshold case were proposed in [13]. On the other 
hand, a scheme for the case of general access structures was proposed in [8], for 
the Discrete Logarithm setting. 

Now we explain how the new scheme works. It runs in an ID-based scenario, 
meaning that the public keys of the users derive from their identities. Further- 
more, the access structures involved in the signatures can be any one. 




New Identity-Based Ring Signature Schemes 



37 



Setup : let Gi be an additive group of prime order q, generated by some element 
P. Let G2 be a multiplicative group with the same order q. We need q > 2 k + d, 
where k is the security parameter of the scheme and d is the maximum possible 
number of subsets in an access structure. Let e : Gi x Gi — > G2 be a pairing 
as defined above. Let Hi : {0, 1}* — ► GJ and H 2 : {0, 1}* — ► 7L q be two hash 
functions. 

The master entity chooses at random his secret key xGZ* and publishes the 
value Y = xP. 

Secret key extraction : any user Vi of the system, with identity IDi , has public 
key PKi = Hi (IDi). When he requests the master for his matching secret key, 
he obtains the value SKi = xPKi. 

Ring Signature: assume that a set U s of users (for simplicity, we denote them as 
U s = {[/ 1 , U 2 , • • • , U ns }) want to compute an anonymous signature. They choose 
the access structure U = {Ui, such that U s G 77. 

For each of the sets Ui G 77, we consider the public value 

* = E PK > • 

Uj eUi 



The algorithm for computing the ring signature is the following: 

1. Each user Uj G U s chooses at random oq G Z* and computes R s j = 
e(ajP,P). He broadcasts the value R s j- 

2 . One of the users in 77 s , for example J7i, chooses, for alii = 1, . . . , d, i 7 ^ 5 , 
random values ^ G Z*, pairwise different, and computes Ri = e(aiP , P). He 
broadcasts these values Ri , and therefore all the members of U s can compute 
hi = H(U , m, R 4 ), for alH = 1, . . . , d, i ^ s. 

3. Members of IA S compute the value 

R e = ei-Y^hM) hi R ‘j ■ 

i^s Uj (zU s 



If R s = 1 q 2 or R s = Ri for some i — 1, . . . , d, i ^ s, they return to step 1. 
Members of U s can then compute h s = H(U,m, R s ). 

4. User U\ computes and broadcasts the value 

<J 1 = oq.P T h s SKi T "y ^ aiP G Gi. 

1 

5. For j = 2 , . . . , n s , player Uj computes and broadcasts the value Gj = a jP + 
h s SKj T Gj—i G Gi* 

6 . Define a = g Us . The resulting valid signature is (W, m, i?i, . . . , hi , . . . , 

h d ,a). 




38 



Javier Herranz and German Saez 



Verification: the validity of the signature is verified by the recipient of the mes- 
sage by checking that hi = #2 (£7, m, Rfi), for i = 1, . . . , d and that 

d 

e(a,P)=e(y,Y J hiY i ) ]J R < , 

i=l l<i<d 

where Yi = ^ PKji f° r th e se ^ s ^ m th e corresponding access structure U. 

U j EUi 



6.1 Some Remarks 

It is easy to see that this distributed scheme satisfies the correctness property. 
Furthermore, the scheme can be considered as a generic ring signature scheme, if 
we see the subsets Hi in the access structure U as individual users of a standard 
ring signature scheme, with public keys PKi = Yi = ^ PAy. Therefore, by 

UjEUi 

using the Ring Forking Lemma and techniques similar to those employed in Sec- 
tion 5 of the present work, the security properties of the scheme can be proved: 
unconditional anonymity and computational unforgeability in the random ora- 
cle model, assuming that the Computational Diffie- Heilman problem is hard to 
solve. The details can be found in [9]. 

The efficiency of the scheme depends on the total number of users and the 
number of sets in the access structure. Therefore, it is a good solution for situa- 
tions where the number of sets is small. For example, if the access structure is a 

threshold one, then the number of sets is very large (it is exactly , if £ is the 

total number of users and t is the threshold). In this case, we recommend the 
use of specific threshold ring signature schemes (see [3, 13] for traditional PKI 
scenarios, and [9] for ID-based ones). 

7 Conclusions 

We have proposed in this work a new ID-based ring signature scheme, based on 
bilinear pairings. Our scheme is a generic ring signature scheme, according to 
the definition given in [7]. This allows us to use some security results provided 
in [7] for this kind of ring schemes. 

More specifically, we prove that our scheme is existentially unforgeable under 
chosen message and identities attacks, in the random oracle model, assuming that 
the Computational Diffie-Hellman problem is hard to solve. 

This new scheme is similar to the ID-based ring signature scheme of Zhang 
and Kim [14], which is also based on pairings and can be proved secure under the 
Computational Diffie-Hellman Assumption. However, the computations in the 
generation and verification of a ring signature in their scheme must be done in a 
cyclic way, whereas in our new scheme they are done in parallel, more efficiently. 

We also extend our scheme to scenarios where the ring signature is on behalf 
of some access structure of possible signing subsets. The recipient is convinced 




New Identity-Based Ring Signature Schemes 



39 



that all the members of some of these subsets have participated in the generation 
of the signature, but does not know which is the actual signing subset. 

Acknowledgment s 

The authors wish to acknowledge the anonymous referees of ICICS’04 for their 
interesting comments and suggestions about the security proofs of the paper. 



References 

1. M. Abe, M. Ohkubo and K. Suzuki. 1— out— of— n signatures from a variety of keys. 
Advances in Cryptology- Asiacrypt’02, LNCS 2501 , Springer- Verlag, pp. 415-432 
( 2002 ). 

2. M. Bellare and P. Rogaway. Random oracles are practical: a paradigm for design- 
ing efficient protocols. First ACM Conference on Computer and Communications 
Security , pp. 62-73 (1993). 

3. E. Bresson, J. Stern and M. Szydlo. Threshold ring signatures for ad-hoc groups. 
Advances in Cryptology-Crypto’02 , LNCS 2442 , Springer- Verlag, pp. 465-480 
( 2002 ). 

4. L. Chen, C. Kudla and K.G. Patterson. Concurrent signatures. Advances in 
Cryptology-Eurocrypt’04 , LNCS 3027 , Springer- Verlag, pp. 287-305 (2004). 

5. Y. Dodis, A. Kiayias, A. Nicolosi and V. Shoup. Annonymous identification in ad 
hoc groups. Advances in Cryptology-Eurocrypt’04 , LNCS 3027 , Springer- Verlag, 
pp. 609-626 (2004). 

6. S. Goldwasser, S. Micali and R. Rivest. A digital signature scheme secure against 
adaptative chosen- message attacks. SIAM Journal of Computing , 17 ( 2 ), pp. 281- 
308 (1988). 

7. J. Herranz and G. Saez. Forking lemmas for ring signature schemes. Proceedings 
of Indocrypt’03, LNCS 2904 , Springer- Verlag, pp. 266-279 (2003). 

8. J. Herranz and G. Saez. Ring signature schemes for general ad-hoc access struc- 
tures. Proceedings of ESAS’04, Springer- Verlag, to appear (2004). 

9. J. Herranz and G. Saez. Distributed ring signatures for identity-based scenarios. 
Technical report, available at http://eprint.iacr.org/2004/ (2004). 

10. D. Pointcheval and J. Stern. Security arguments for digital signatures and blind 
signatures. Journal of Cryptology , Vol. 13 (3), pp. 361-396 (2000). 

11. R. Rivest, A. Shamir and Y. Tauman. How to leak a secret. Advances in 
Cryptology- Asiacrypt’01, LNCS 2248 , Springer- Verlag, pp. 552-565 (2001). 

12. A. Shamir. Identity-based cryptosystems and signature schemes. Advances in 
Cryptology-Crypto’84 , LNCS 196 , pp. 47-53 (1984). 

13. J.K. Sui Liu, V.K. Wei and D.S. Wong. A separable threshold ring signature 
scheme. Proceedings of ICISC’03, LNCS 2971 , Springer- Verlag, pp. 12-26 (2004). 

14. F. Zhang and K. Kim. ID-based blind signature and ring signature from pairings. 
Advances in Cryptology- Asiacrypt’02, LNCS 2501 , Springer- Verlag, pp. 533-547 
( 2002 ). 




On the Security 

of a Multi-party Certified Email Protocol 



Jianying Zhou 



Institute for Infocomm Research 
21 Heng Mui Keng Terrace 
Singapore 119613 
j yzhou@i2r . a-star . edu . sg 



Abstract. As a value-added service to deliver important data over the 
Internet with guaranteed receipt for each successful delivery, certified 
email has been discussed for years and a number of research papers 
appeared in the literature. But most of them deal with the two-party 
scenarios, i.e., there are only one sender and one recipient. In some ap- 
plications, however, the same certified message may need to be sent to 
a set of recipients. In ISC’02, Ferrer-Gomila et. al presented a multi- 
party certified email protocol [5]. It has two major features. A sender 
could notify multiple recipients of the same information while only those 
recipients who acknowledged are able to get the information. In addi- 
tion, its exchange protocol is optimized, which has only three steps. In 
this paper, we demonstrate some flaws and weaknesses in that protocol, 
and propose an improved version which is robust against the identified 
attacks while preserving the features of the original protocol. 

Keywords: certified email, non-repudiation, security protocol 



1 Introduction 

Email has grown from a tool used by a few academics on the Arpanet to a ubiq- 
uitous communications tool. Certified email is a value-added service of ordinary 
email, in which the sender wants to obtain a receipt from the recipient. In addi- 
tion, fairness is usually a desirable requirement thus the recipient gets the mail 
content if and only if the sender obtains a receipt. 

Certified email has been discussed for years, and a number of research pa- 
pers appeared in the literature [1-3,8,10,11]. But most of them deal with the 
two-party scenarios, i.e., there are only one sender and one recipient. In some 
applications, however, the same certified message may need to be sent to a set of 
recipients. Multi-party certified email protocols were first proposed by Markow- 
itch and Kremer, using an on-line trusted third party [6], or an off-line trusted 
third party [7]. 

In ISC’02, Ferrer-Gomila et. al presented a more efficient multi-party certi- 
fied email protocol [5]. It has two major features. A sender could notify multiple 
recipients of the same information while only those recipients who acknowledged 
are able to get the information. In addition, its exchange protocol is optimized, 



J. Lopez, S. Qing, and E. Okamoto (Eds.): ICICS 2004, LNCS 3269, pp. 40-52, 2004. 
(c) Springer- Verlag Berlin Heidelberg 2004 




